Skip to content

crew matrix and testing#352

Merged
ethrgeist merged 11 commits intomainfrom
dev
Mar 22, 2026
Merged

crew matrix and testing#352
ethrgeist merged 11 commits intomainfrom
dev

Conversation

@ethrgeist
Copy link
Copy Markdown
Member

@ethrgeist ethrgeist commented Mar 22, 2026

No description provided.

ethrgeist added 11 commits March 22, 2026 14:20
@ethrgeist
version bump
bebf40e
@ethrgeist
Add crew availability matrix view and template, update URLs and navig…
c581af8 
…ation
@ethrgeist
Refactor account creation and context assignment: extract group assig…
0355eb3 
…nment logic to a separate service and add tests for account context assignment
@ethrgeist
Add event lookup service and update crew coordination views to use it
8eb4945
@ethrgeist
Refactor JSON serialization in views to use template_json utility for…
9445e1c 
… safer embedding
@ethrgeist
Comment out name-tests-test hook in pre-commit configuration
b52f11e
@ethrgeist
Refactor event handling: consolidate event retrieval logic, enhance c…
f1866cb 
…ontext processors, and streamline event switching functionality
@ethrgeist
Add AGENTS.md: establish guidelines for code quality, style, and best…
78a4bf3 
… practices
@ethrgeist
Refactor exhibitor join view tests: consolidate and enhance test cases
763f746 
- Deleted the old join_view_test.py file.
- Created a new test file test_join_view.py with comprehensive test cases for the exhibitor join view.
- Added tests for handling anonymous users, unknown event slugs, incomplete profiles, and existing submissions.
- Mocked template rendering and user profile checks to ensure proper response handling.
- Updated dependencies in uv.lock to include coverage, pytest, pytest-cov, and pytest-django for improved testing capabilities.
@ethrgeist
fix: prevent racing during js load and compress
0a5477b
@ethrgeist
feat: enhance API endpoints with improved response structures and add…
4450b3d 
… comprehensive tests
@ethrgeist ethrgeist merged commit 4091d27 into main Mar 22, 2026
8 checks passed
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 22, 2026
View reviewed changes
src/rockon/base/views/switch_event.py
_set_event_session(request, event)
messages.success(request, f'Event gewechselt zu: {event.name}')
return redirect('crm_user_home')
return redirect(_get_redirect_path(request, event))

Check warning

Code scanning / CodeQL

URL redirection from remote source

Untrusted URL redirection depends on a [user-provided value](1).

Copilot Autofix

AI 7 days ago

In general, to fix untrusted URL redirection you should ensure that any user-provided redirect target is either (a) selected from a server-maintained whitelist, or (b) constrained to safe forms such as same-site relative paths and validated with a trusted helper. In this code, the main remaining risk (and what CodeQL flags) is that next_path can be an absolute URL on the same host, which is allowed by url_has_allowed_host_and_scheme but not strictly necessary here. Tightening _get_safe_next_path so that it only returns relative URLs (no scheme/host) will both harden security and make the dataflow obviously safe.

Concretely, the best minimal fix without changing higher-level behavior is:

  • In _get_safe_next_path, after confirming with url_has_allowed_host_and_scheme, parse next_path with urllib.parse.urlparse.
  • If the parsed value has any scheme or netloc, treat it as unsafe and return None; otherwise, it is a relative path and safe to use.
  • Keep the existing url_has_allowed_host_and_scheme call as an additional safeguard (e.g., for odd encodings, backslashes, etc.), but ensure the function only returns paths relative to the current host.
  • Since this file already imports Django’s helper and standard library urlparse is not yet imported, add an import for urlparse from urllib.parse at the top of switch_event.py.

No changes are needed in event_lookup.py: it only manipulates path segments and does not introduce new host/scheme information. The only edits are in src/rockon/base/views/switch_event.py: add the urlparse import and extend _get_safe_next_path to reject any absolute URLs.

Suggested changeset 1
src/rockon/base/views/switch_event.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/rockon/base/views/switch_event.py b/src/rockon/base/views/switch_event.py
--- a/src/rockon/base/views/switch_event.py
+++ b/src/rockon/base/views/switch_event.py
@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+from urllib.parse import urlparse
+
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
 from django.shortcuts import redirect
@@ -72,4 +74,9 @@
     ):
         return None
 
+    parsed = urlparse(next_path)
+    # Only allow relative paths without an explicit scheme or host
+    if parsed.scheme or parsed.netloc:
+        return None
+
     return next_path
EOF
@@ -1,5 +1,7 @@
from __future__ import annotations

from urllib.parse import urlparse

from django.contrib import messages
from django.contrib.auth.decorators import login_required
from django.shortcuts import redirect
@@ -72,4 +74,9 @@
):
return None

parsed = urlparse(next_path)
# Only allow relative paths without an explicit scheme or host
if parsed.scheme or parsed.netloc:
return None

return next_path
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ethrgeist