[IMP] formio_storage_filestore: raise AccessDenied if not baseUrl in …

…POST.
vha · Jan 15, 2021 · fba461a · fba461a
1 parent 4594b4b
commit fba461a
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/formio_storage_filestore/models/ir_http.py b/formio_storage_filestore/models/ir_http.py
@@ -26,9 +26,16 @@ def _authenticate_formio_storage_filestore(cls, endpoint):
  if auth_method == 'user' and request._context.get('uid'):
  return super(IrHttp, cls)._authenticate(endpoint)
  else:
- # Security measurement for public POST/uploads,
- # because CSRF is disabled (needed) for this endpoint.
+ # Security measurement for public POST/uploads, because
+ # CSRF is disabled (needed) for this endpoint.
+
+ # The baseUrl param was set on the Formio (JavaScript)
+ # object and send by the XMLHttpRequest to this
+ # endpoint.
  base_url = request.httprequest.args.get('baseUrl')
+ if not base_url:
+ return False
+
  if '/formio/public/form/create' in base_url:
  uuid = os.path.basename(os.path.normpath(base_url))
  domain = [('uuid', '=', uuid), ('public', '=', True)]