Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GeoJSON.get() and MVT.get() views have side effects #10664

Closed
jacobtylerwalls opened this issue Mar 7, 2024 · 0 comments · Fixed by #11491
Closed

GeoJSON.get() and MVT.get() views have side effects #10664

jacobtylerwalls opened this issue Mar 7, 2024 · 0 comments · Fixed by #11491
Labels
Subject: Performance

Comments

@jacobtylerwalls
Copy link
Member

Was reading up on CSRF today and recalled that HTTP GET requests shouldn't have side-effects (and for that reason aren't protected against CSRF).

We have a couple GET views that save UserProfile rows:

arches/arches/app/views/api.py

Lines 179 to 180 in 3e54931

if hasattr(request.user, "userprofile") is not True:
models.UserProfile.objects.create(user=request.user)

arches/arches/app/views/api.py

Lines 275 to 276 in 3e54931

if hasattr(request.user, "userprofile") is not True:
models.UserProfile.objects.create(user=request.user)

I can't see any attack vector here, so this is just a cleanup opportunity. We seem to be doing this merely for the sake of calling the UserProfile.viewable_nodegroups property. Creating a db row just for the sake of calling a function is something we can avoid: one, to be more RESTful, and two, to shave off a db query.
jacobtylerwalls added a commit that referenced this issue Sep 24, 2024
@jacobtylerwalls
Remove (hypothetical) side effects from GET calls #10664
51ed8ac 
UserProfiles always exist since #8022.
1ca5c32 removed some cruft guards for missing profiles.
This removes the rest, which makes it more clear that these GETs
do not have side-effects (and thus CSRF attack vectors).
@jacobtylerwalls jacobtylerwalls mentioned this issue Sep 24, 2024
Merged
3 tasks
@jacobtylerwalls jacobtylerwalls linked a pull request Sep 24, 2024 that will close this issue
Remove (hypothetical) side effects from GET calls #10664 #11491
Merged
3 tasks
jacobtylerwalls added a commit that referenced this issue Oct 7, 2024
@jacobtylerwalls
Remove (hypothetical) side effects from GET calls #10664
1f8da9a 
UserProfiles always exist since #8022.
1ca5c32 removed some cruft guards for missing profiles.
This removes the rest, which makes it more clear that these GETs
do not have side-effects (and thus CSRF attack vectors).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Subject: Performance
Projects
pipeline
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove (hypothetical) side effects from GET calls #10664 archesproject/arches
1 participant
@jacobtylerwalls