AI security fixes

2026-04-08 21:23:12 +02:00
parent 2beb7aa75a
commit 149a488795
9 changed files with 279 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,6 @@
 /.idea
 /._bootstrapTemplates
 /env
+.env
+/blechreiz/static_collection
+/blechreiz/media/user_images
--- a/blechreiz/context_processors.py
+++ b/blechreiz/context_processors.py
@@ -0,0 +1,7 @@
+import os
+
+
+def google_maps(request):
+    return {
+        "GOOGLE_MAPS_API_KEY": os.environ.get("GOOGLE_MAPS_API_KEY", ""),
+    }
--- a/blechreiz/settings.py
+++ b/blechreiz/settings.py
@@ -6,6 +6,13 @@ from pathlib import Path
 BASE_DIR = Path(__file__).resolve().parent
 PROJECT_PATH = os.path.abspath(os.path.dirname(__file__))

+# Load environment variables from .env file if python-dotenv is installed
+try:
+    from dotenv import load_dotenv
+    load_dotenv(os.path.join(PROJECT_PATH, ".env"))
+except ImportError:
+    pass
+

 # Django settings for blechreiz project.

@@ -32,7 +39,7 @@ DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"

 EMAIL_HOST = "smtp.blechreiz.com"
 EMAIL_HOST_USER = "m02b721a"
-EMAIL_HOST_PASSWORD = "9Hp4WG5bZ2WVPX5z"
+EMAIL_HOST_PASSWORD = os.environ.get("EMAIL_HOST_PASSWORD", "")
 EMAIL_USE_TLS = False


@@ -83,7 +90,7 @@ STATICFILES_FINDERS = [
 ]

 # Make this unique, and don't share it with anybody.
-SECRET_KEY = "x$8&9s6t%eeg=wyhar87934wh_s$dbpm(73g4ho&n)9_wogj6p"
+SECRET_KEY = os.environ["DJANGO_SECRET_KEY"]

 MIDDLEWARE = [
    "django.middleware.security.SecurityMiddleware",
@@ -119,7 +126,6 @@ TEMPLATES = [
                "django.template.context_processors.media",
                "django.template.context_processors.static",
                "sekizai.context_processors.sekizai",
-                "blechreiz.context_processors.google_maps",
            ],
        },
    },
@@ -165,18 +171,12 @@ GCAL_COUPLING = {
    "eventPrefix": "Blechreiz: ",
    "developerKey": "blechreiz-homepage",
    "clientId": "34462582242-4kpdvvbi27ajt4u22uitqurpve9o8ipj.apps.googleusercontent.com",
-    "client_secret": "y4t9XBrJdCODPTO5UvtONWWn",
+    "client_secret": os.environ.get("GCAL_CLIENT_SECRET", ""),
    "credentials_file": PROJECT_PATH + "/calendarCredentials.dat",
    "push_url": "https://blechreiz.bauer.technology/eventplanner_gcal/gcalApiCallback",
 }


-# Google Maps API Key
-# Get your API key from https://console.cloud.google.com/apis/credentials
-# Enable the Maps JavaScript API and Geocoding API
-GOOGLE_MAPS_API_KEY = "AIzaSyCf9Lm5ckjmVd08scTOd7fB1dC_UCoumKg"
-
-
 # Crispy Forms configuration
 CRISPY_ALLOWED_TEMPLATE_PACKS = "bootstrap5"
 CRISPY_TEMPLATE_PACK = "bootstrap5"
--- a/eventplanner/views.py
+++ b/eventplanner/views.py
@@ -2,6 +2,7 @@ import datetime

 from crispy_forms.helper import FormHelper
 from crispy_forms.layout import Submit
+from django.core.exceptions import PermissionDenied
 from django.forms import TextInput
 from django.forms.models import ModelForm
 from django.http import HttpResponse
@@ -114,6 +115,8 @@ def events_grid(request):


 def deleteEvent(request, pk):
+    if not EventParticipation.isAdmin(request.user):
+        raise PermissionDenied
    Event.objects.get(pk=pk).delete()
    return redirect(events_grid)

--- a/location_field/static/location_field/form.css
+++ b/location_field/static/location_field/form.css
@@ -0,0 +1,39 @@
+
+/* Hide map dialog initially - jQuery UI dialog will show it */
+.map_dialog {
+	display: none;
+}
+
+input.locationwidget 
+{
+	cursor: pointer !important;	
+	background-color: rgb(255, 255, 255) !important;
+}
+
+.map_dialog .form-horizontal
+{
+	margin-top: 10px;
+}
+
+.map_dialog input
+{
+	width: 390px;
+}
+
+
+
+.map_dialog input.displayed_location_input
+{
+	width: 350px;
+}
+
+.map_dialog .map_canvas img
+{
+	max-width: none;
+}
+
+.map_dialog label
+{
+	margin-bottom: 0px;
+	display: inline;
+}
--- a/location_field/static/location_field/form.js
+++ b/location_field/static/location_field/form.js
@@ -0,0 +1,190 @@
+($ || django.jQuery)(function($){
+	
+	
+
+	// map:              the div that is made to the map
+	// coordinate_field: input element where position & zoom is stored ( and read to init the map )
+    function MapObject( mapDiv, coordinate_field, init_position, init_zoom )
+    {
+    	// Default Argument for init_position
+    	init_position = typeof init_position !== 'undefined' ? init_position : new google.maps.LatLng( 49.340174,10.890595 );
+    	init_zoom     = typeof init_zoom     !== 'undefined' ? init_zoom     : 16;
+
+    	
+		// --------------------------- Members    --------------------------------------
+    	
+        this.map      = new google.maps.Map( mapDiv, {
+        					mapTypeId: google.maps.MapTypeId.HYBRID, 
+        					zoomControl: true,
+        					streetViewControl: false,
+						    zoomControlOptions: {  style: google.maps.ZoomControlStyle.SMALL  }
+        					} );
+        
+        this.geocoder = new google.maps.Geocoder();
+        this.geocoder.region = "de";
+        this.geocoder.location = init_position;
+        
+		this.marker = new google.maps.Marker({
+				        map: this.map,
+				        position: init_position,
+				        draggable: true
+				     });       
+
+				     
+		// --------------------------- Methods    --------------------------------------
+
+		this.placeMarkerUsingAddressString = function ( addressStr )
+		{
+			var theObject = this;
+			this.geocode( addressStr , function(l) {
+				theObject.placeMarker( l );
+				theObject.saveToInputField();
+            });
+		}
+		
+        this.placeMarker = function( location ) 
+        {
+            this.marker.setPosition( location );
+            this.map.setCenter( location );
+            this.map.panTo( location );
+        }
+        
+        
+        this.geocode = function(address, cb) 
+        {
+            var result;
+            if (this.geocoder) {
+                this.geocoder.geocode({"address": address}, function(results, status) {
+                    if (status == google.maps.GeocoderStatus.OK) {
+                        cb(results[0].geometry.location);
+                    }
+                });
+            }
+        }
+        
+       this.geocode_reverse = function( cb) 
+       {
+            if (this.geocoder) {
+                this.geocoder.geocode({"latLng": this.marker.getPosition() }, function(results, status) {
+                    if (status == google.maps.GeocoderStatus.OK) {
+                        cb( results );
+                    }
+                });
+            }
+        }
+        
+        this.saveToInputField = function()  
+        {
+        	var p = this.marker.getPosition();
+        	coordinate_field.value =  p.lat().toFixed(6) + "," + p.lng().toFixed(6) + "," + this.map.getZoom() ;
+	    }
+        
+	    this.loadFromInputField = function()
+	    {
+            if ( coordinate_field.value ) // Already values in the coordinate field
+            {
+                var l = coordinate_field.value.split(/,/);
+                if (l.length > 1)
+                {
+                	this.placeMarker( new google.maps.LatLng(l[0], l[1]) );
+                    this.map.setZoom( parseInt( l[2] ) );
+                }
+            }
+            else
+            {
+            	this.placeMarker( init_position );
+                this.map.setZoom( 16 );
+            }
+	    }
+	    
+
+		// --------------------------- Constructor -------------------------------------
+        
+        this.init = function()
+        {
+        	var theObject = this;
+        	// Event handling
+            google.maps.event.addListener( this.marker, 'dragend', function(mouseEvent) {
+            	theObject.saveToInputField();
+            });
+
+            google.maps.event.addListener( this.map, 'click', function(mouseEvent){
+            	theObject.placeMarker( mouseEvent.latLng );
+            	theObject.saveToInputField();
+            });
+            
+            google.maps.event.addListener( this.map, 'zoom_changed', function(mouseEvent){
+            	theObject.saveToInputField();
+            });
+            
+            theObject.loadFromInputField();
+        }
+        
+        this.init();
+    }
+    
+    
+    $(".map_dialog").dialog( {
+    	modal: true,
+    	width: 650,
+    	height: 730,
+    	resizeable: false,
+    	autoOpen: false
+    } );
+    
+    
+    $('input[data-location-widget]').click( function() {
+    	
+    	var formCoordField = $(this);
+    	var $basedField     = $( formCoordField.attr('data-based-field') );
+    	var $dialogElement  = $( formCoordField.attr('data-dialog-id') );
+    	
+       	var $dialogCoordField     = $dialogElement.find(".coordinate_input");
+       	var $dialogLocationField  = $dialogElement.find(".displayed_location_input");
+       	$dialogLocationField.val( $basedField.val() );
+    	$dialogCoordField.val( formCoordField.val() );
+    	
+    	// Init Map if not yet initialized:
+    	var map;
+    	if ( ! $dialogElement[0].map )
+		{
+                map              = $( formCoordField.attr('data-map') )[0];
+            var zoom             = parseInt( formCoordField.attr('data-zoom') );
+            
+            // Add Buttons
+            $dialogElement.dialog( "option", "buttons", {
+    			Abbrechen: function() {
+	 	      	   $( this ).dialog( "close" );
+	       		},
+	 	        Ok: function() {
+	       		   $(formCoordField).val( $dialogCoordField.val() );
+	       		   $basedField.val( $dialogLocationField.val() );
+	 	           $( this ).dialog( "close" );
+	 	        } } 
+            );
+
+            // Init Map
+    		$dialogElement[0].map = new MapObject( map, $dialogCoordField[0] );
+		}
+    	$dialogElement[0].map.placeMarkerUsingAddressString( $dialogLocationField.val() );
+    	
+		$dialogLocationField.on("keypress", function(e) {
+				if ( e.keyCode == 13 ) { // enter
+					$dialogElement[0].map.placeMarkerUsingAddressString( $dialogLocationField.val() );
+					return false;
+				}
+			});
+		
+		$dialogElement.find(".coord_to_display_button").click( function() {
+			$dialogElement[0].map.geocode_reverse(  function(result) {
+				$dialogLocationField.val( result[0].formatted_address );
+			});
+		});
+
+		
+    	$dialogElement.dialog('open');
+    });
+    
+    
+    
+});
--- a/location_field/widgets.py
+++ b/location_field/widgets.py
@@ -1,6 +1,5 @@
 import os

-from django.conf import settings
 from django.forms import widgets
 from django.utils.safestring import mark_safe

@@ -57,7 +56,7 @@ class LocationWidget(widgets.TextInput):

    @property
    def media(self):
-        api_key = getattr(settings, "GOOGLE_MAPS_API_KEY", "")
+        api_key = os.environ.get("GOOGLE_MAPS_API_KEY", "")
        maps_url = f"https://maps.googleapis.com/maps/api/js?key={api_key}&language=de"
        
        return widgets.Media(
--- a/musicians/views.py
+++ b/musicians/views.py
@@ -5,6 +5,7 @@ from django import forms
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.models import User
 from django.contrib.auth.views import PasswordChangeView
+from django.core.exceptions import PermissionDenied
 from django.http import HttpResponse, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse_lazy
@@ -76,6 +77,9 @@ def own_profile(request):
 def user_edit(request, username):
    musician = get_object_or_404(Musician, user__username=username)

+    if request.user != musician.user and not request.user.is_staff:
+        raise PermissionDenied
+
    if request.method == "POST":
        form = UserEditForm(request.POST, instance=musician)
        if form.is_valid():
@@ -93,7 +97,20 @@ class MusicianUpdate(UpdateView):
    model = Musician
    template_name = "musicians/musician_edit.html"
    success_url = "/books/"
-    fields = "__all__"
+    fields = [
+        "image",
+        "small_image",
+        "instrument",
+        "birthday",
+        "street",
+        "city",
+        "zip_code",
+        "phone_home",
+        "phone_mobile",
+        "phone_work",
+        "position",
+        "public_description",
+    ]


 def addressbook(request):
@@ -137,11 +154,11 @@ def login_view(request):
        result["err"] = ""
        if user is not None:
            if user.is_active:
-                if not request.POST.get("remember", None):
-                    # Expire in one year
+                if request.POST.get("remember", None):
+                    # "Remember me" checked: keep session for one year
                    request.session.set_expiry(timedelta(weeks=52))
                else:
-                    # Expire on browser close
+                    # No "remember me": expire on browser close
                    request.session.set_expiry(0)

                login(request, user)
--- a/website/views.py
+++ b/website/views.py
@@ -1,3 +1,5 @@
+import os
+
 from django.contrib.auth.decorators import login_required
 from django.shortcuts import render

@@ -10,7 +12,9 @@ from eventplanner.snippets import (

@login_required
 def home_view(request):
-    context = {}
+    context = {
+        "GOOGLE_MAPS_API_KEY": os.environ.get("GOOGLE_MAPS_API_KEY", ""),
+    }

    # Event participation for slider text
    if EventParticipation.isMember(request.user):