Merged
Conversation
mortenlyn
force-pushed
the
refactor-saferedirectmixin
branch
from
95276ab to
fd7d0f1
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR updates the SafeRedirectMixin to improve URL validation and security by enhancing the handling of redirect URLs. The changes focus on making the redirect logic more robust and preventing potential security vulnerabilities.
- Enhanced URL extraction with proper string validation and trimming
- Improved parameter handling to avoid duplicate URL extraction
- Added comprehensive documentation for all methods
| next_url = self.request.POST.get(self.next_param) | ||
| if not next_url: | ||
| next_url = self.request.GET.get(self.next_param) | ||
| if isinstance(next_url, str): |
There was a problem hiding this comment.
The isinstance check is redundant since request.POST.get() and request.GET.get() always return strings or None. Consider removing this check or handle the case where next_url could be a list (if multiple values are provided for the same parameter).
Suggested change
| if isinstance(next_url, str): | |
| if isinstance(next_url, list): | |
| next_url = next_url[0] # Extract the first value if multiple are provided | |
| if next_url: |
| if not next_url: | ||
| return False | ||
| return url_has_allowed_host_and_scheme( | ||
| url=next_url, |
There was a problem hiding this comment.
[nitpick] The explicit 'url=' parameter name is unnecessary here since it's the first positional parameter of url_has_allowed_host_and_scheme. This change makes the code less consistent with the original implementation.
Suggested change
| url=next_url, | |
| next_url, |
aastabk
approved these changes
Jul 28, 2025
mortenlyn
force-pushed
the
refactor-saferedirectmixin
branch
from
fd7d0f1 to
7a56c1c
Compare
omfj
pushed a commit
that referenced
this pull request
Jul 28, 2025
Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no>
mortenlyn
added a commit
that referenced
this pull request
Jul 28, 2025
* Improve IsolationMethodAdmin. (#404) * Fix order by sample status (#421) * Improve dashboard overflow (#429) * Refactor SafeRedirectMixin to remove repetitive code (#419) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add filtering for sample status (#425) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * 423 remove is seen and is prioritized from table in a order (#432) * Restrict fields shown in placing an order * Keep is_urgent as a visible field * If an order is started (has genlab ids) it cannot be deleted by researchers (#434) * When all samples are isolated/analysed, the order is set to completed (#439) * Use tuples. (#418) * Equipment buttons moved up. Mark as seen button has consistent styling. (#438) * Equipment buttons moved up. Mark as seen button has consistent styling. * Mark as seen button follows correct styling * 406 assign responsible scientist to project (#411) * Added results contact info for analysis * Added migrations * Added migrations * Safe fields for name and email for analysis results * Mypy fix * Safer (?) fix * Fixed comments * Removed mark_safe() * Removed duplicate import * Changed names of columns (analysis results contact person) * Make field mandatory * Fix blank species field (#447) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Minor visual changes for analysis order (#446) * Minor visual changes for analysis order * Linter fix * Linter fix #2 * Linter fix #3 * Processing and complete status are always seen. Added buttons to equipment order. (#459) * Fix dashboard horizontal scroll (#460) * Add isolation method to multiple sample types (#427) * Status logic (#450) * Order will be set to processing or completed after being a draft if it has already been in those states * Made the status update to an Order method * Update SafeRedirectMixin (#440) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Refactor logic to choose when analysis_orders are shown in the CSV and fix N + 1 query. (#430) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Remove status transition buttons for delivered and processing orders (#454) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add FlagField serializer for boolean representation of sample status to keep code DRY (#455) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Make specified CSV filenames with order id --------- Co-authored-by: Emil Telstad <22004178+emilte@users.noreply.github.com> Co-authored-by: Ole Magnus <me@omfj.no> Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> Co-authored-by: Bertine <112892518+aastabk@users.noreply.github.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jul 30, 2025
* Improve IsolationMethodAdmin. (#404) * Fix order by sample status (#421) * Improve dashboard overflow (#429) * Refactor SafeRedirectMixin to remove repetitive code (#419) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add filtering for sample status (#425) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * 423 remove is seen and is prioritized from table in a order (#432) * Restrict fields shown in placing an order * Keep is_urgent as a visible field * If an order is started (has genlab ids) it cannot be deleted by researchers (#434) * When all samples are isolated/analysed, the order is set to completed (#439) * Use tuples. (#418) * Equipment buttons moved up. Mark as seen button has consistent styling. (#438) * Equipment buttons moved up. Mark as seen button has consistent styling. * Mark as seen button follows correct styling * 406 assign responsible scientist to project (#411) * Added results contact info for analysis * Added migrations * Added migrations * Safe fields for name and email for analysis results * Mypy fix * Safer (?) fix * Fixed comments * Removed mark_safe() * Removed duplicate import * Changed names of columns (analysis results contact person) * Make field mandatory * Fix blank species field (#447) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Minor visual changes for analysis order (#446) * Minor visual changes for analysis order * Linter fix * Linter fix #2 * Linter fix #3 * Processing and complete status are always seen. Added buttons to equipment order. (#459) * Fix dashboard horizontal scroll (#460) * Add isolation method to multiple sample types (#427) * Status logic (#450) * Order will be set to processing or completed after being a draft if it has already been in those states * Made the status update to an Order method * Update SafeRedirectMixin (#440) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Refactor logic to choose when analysis_orders are shown in the CSV and fix N + 1 query. (#430) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Remove status transition buttons for delivered and processing orders (#454) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add FlagField serializer for boolean representation of sample status to keep code DRY (#455) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Changed to "Clear all" as filter text. Samples page also can clear filters. (#467) * Change name on downloaded csv file (#457) * Improve IsolationMethodAdmin. (#404) * Fix order by sample status (#421) * Improve dashboard overflow (#429) * Refactor SafeRedirectMixin to remove repetitive code (#419) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add filtering for sample status (#425) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * 423 remove is seen and is prioritized from table in a order (#432) * Restrict fields shown in placing an order * Keep is_urgent as a visible field * If an order is started (has genlab ids) it cannot be deleted by researchers (#434) * When all samples are isolated/analysed, the order is set to completed (#439) * Use tuples. (#418) * Equipment buttons moved up. Mark as seen button has consistent styling. (#438) * Equipment buttons moved up. Mark as seen button has consistent styling. * Mark as seen button follows correct styling * 406 assign responsible scientist to project (#411) * Added results contact info for analysis * Added migrations * Added migrations * Safe fields for name and email for analysis results * Mypy fix * Safer (?) fix * Fixed comments * Removed mark_safe() * Removed duplicate import * Changed names of columns (analysis results contact person) * Make field mandatory * Fix blank species field (#447) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Minor visual changes for analysis order (#446) * Minor visual changes for analysis order * Linter fix * Linter fix #2 * Linter fix #3 * Processing and complete status are always seen. Added buttons to equipment order. (#459) * Fix dashboard horizontal scroll (#460) * Add isolation method to multiple sample types (#427) * Status logic (#450) * Order will be set to processing or completed after being a draft if it has already been in those states * Made the status update to an Order method * Update SafeRedirectMixin (#440) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Refactor logic to choose when analysis_orders are shown in the CSV and fix N + 1 query. (#430) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Remove status transition buttons for delivered and processing orders (#454) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add FlagField serializer for boolean representation of sample status to keep code DRY (#455) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Make specified CSV filenames with order id --------- Co-authored-by: Emil Telstad <22004178+emilte@users.noreply.github.com> Co-authored-by: Ole Magnus <me@omfj.no> Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> Co-authored-by: Bertine <112892518+aastabk@users.noreply.github.com> * Add AnalysisMarkerAutocomplete and filter for markers in AnalysisOrders page (#461) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * 462 refactor sample status filtering 2 (#468) * Filter on marked, plucked and isolated * Remove prints * Reuse filter method * Remove prioritization feature on samples (#471) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add markers to staff samples view (#428) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Update logic for analysisorder (#472) * Remove custom order on dashboard (#475) * Fixed error in mark as seen. Adding svg for exclaimation mark. (#481) * Fixed error in mark as seen. Adding svg for exclaimation mark. * Cleanup * Assign staff multiselect (#300) * Add project filtering and activation features (#480) - Introduced ProjectFilter for filtering projects by number, name, verified status, and active status. - Updated ProjectTable to include a toggle for project activation. - Created templates for project verification and activation buttons. - Added ProjectArchiveActionView to handle project activation state changes. - Updated URLs to include the new archive action for projects. Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Style dashboard table (#483) * Use format_html (#479) * Add static choices support and hide statuses by default in filters (#486) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Remove genetic from table column name (#487) * Set order to processing when updating sample status (#485) * Major visual changes (#488) * Update column order complete sheet csv for terrestrisk (#490) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Fix N+1 query by prefetching order (#491) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Prefetch isolation method to fix N+1 query (#492) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add progress abr for isolated samples (#510) --------- Co-authored-by: Emil Telstad <22004178+emilte@users.noreply.github.com> Co-authored-by: Morten Lyngstad <81157760+mortenlyn@users.noreply.github.com> Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> Co-authored-by: Bertine <112892518+aastabk@users.noreply.github.com>
nicokant
pushed a commit
that referenced
this pull request
Jul 30, 2025
Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no>
nicokant
pushed a commit
that referenced
this pull request
Jul 30, 2025
* Improve IsolationMethodAdmin. (#404) * Fix order by sample status (#421) * Improve dashboard overflow (#429) * Refactor SafeRedirectMixin to remove repetitive code (#419) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add filtering for sample status (#425) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * 423 remove is seen and is prioritized from table in a order (#432) * Restrict fields shown in placing an order * Keep is_urgent as a visible field * If an order is started (has genlab ids) it cannot be deleted by researchers (#434) * When all samples are isolated/analysed, the order is set to completed (#439) * Use tuples. (#418) * Equipment buttons moved up. Mark as seen button has consistent styling. (#438) * Equipment buttons moved up. Mark as seen button has consistent styling. * Mark as seen button follows correct styling * 406 assign responsible scientist to project (#411) * Added results contact info for analysis * Added migrations * Added migrations * Safe fields for name and email for analysis results * Mypy fix * Safer (?) fix * Fixed comments * Removed mark_safe() * Removed duplicate import * Changed names of columns (analysis results contact person) * Make field mandatory * Fix blank species field (#447) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Minor visual changes for analysis order (#446) * Minor visual changes for analysis order * Linter fix * Linter fix #2 * Linter fix #3 * Processing and complete status are always seen. Added buttons to equipment order. (#459) * Fix dashboard horizontal scroll (#460) * Add isolation method to multiple sample types (#427) * Status logic (#450) * Order will be set to processing or completed after being a draft if it has already been in those states * Made the status update to an Order method * Update SafeRedirectMixin (#440) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Refactor logic to choose when analysis_orders are shown in the CSV and fix N + 1 query. (#430) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Remove status transition buttons for delivered and processing orders (#454) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add FlagField serializer for boolean representation of sample status to keep code DRY (#455) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Make specified CSV filenames with order id --------- Co-authored-by: Emil Telstad <22004178+emilte@users.noreply.github.com> Co-authored-by: Ole Magnus <me@omfj.no> Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> Co-authored-by: Bertine <112892518+aastabk@users.noreply.github.com>
Closed
nicokant
pushed a commit
that referenced
this pull request
Jul 30, 2025
Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no>
nicokant
pushed a commit
that referenced
this pull request
Jul 30, 2025
* Improve IsolationMethodAdmin. (#404) * Fix order by sample status (#421) * Improve dashboard overflow (#429) * Refactor SafeRedirectMixin to remove repetitive code (#419) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add filtering for sample status (#425) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * 423 remove is seen and is prioritized from table in a order (#432) * Restrict fields shown in placing an order * Keep is_urgent as a visible field * If an order is started (has genlab ids) it cannot be deleted by researchers (#434) * When all samples are isolated/analysed, the order is set to completed (#439) * Use tuples. (#418) * Equipment buttons moved up. Mark as seen button has consistent styling. (#438) * Equipment buttons moved up. Mark as seen button has consistent styling. * Mark as seen button follows correct styling * 406 assign responsible scientist to project (#411) * Added results contact info for analysis * Added migrations * Added migrations * Safe fields for name and email for analysis results * Mypy fix * Safer (?) fix * Fixed comments * Removed mark_safe() * Removed duplicate import * Changed names of columns (analysis results contact person) * Make field mandatory * Fix blank species field (#447) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Minor visual changes for analysis order (#446) * Minor visual changes for analysis order * Linter fix * Linter fix #2 * Linter fix #3 * Processing and complete status are always seen. Added buttons to equipment order. (#459) * Fix dashboard horizontal scroll (#460) * Add isolation method to multiple sample types (#427) * Status logic (#450) * Order will be set to processing or completed after being a draft if it has already been in those states * Made the status update to an Order method * Update SafeRedirectMixin (#440) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Refactor logic to choose when analysis_orders are shown in the CSV and fix N + 1 query. (#430) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Remove status transition buttons for delivered and processing orders (#454) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Add FlagField serializer for boolean representation of sample status to keep code DRY (#455) Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> * Make specified CSV filenames with order id --------- Co-authored-by: Emil Telstad <22004178+emilte@users.noreply.github.com> Co-authored-by: Ole Magnus <me@omfj.no> Co-authored-by: Morten Madsen Lyngstad <morten.lyngstad@bekk.no> Co-authored-by: Bertine <112892518+aastabk@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Can we check that this fixes the issue the github-advanced-security bot found without pushing it?