Various fixes and changes, security problems fixed, bugs resolved.

* Application status is now policed through APPLICATION_STATUS_ROUTES. * Blacklisted application cannot be accepted. * Blacklists are checked case insensitively. * The template now shows blacklist advisories * Applications are no longer flagged as Blacklisted unless they have a blacklist entry
2025-12-14 14:52:15 +00:00 · 2011-07-09 11:05:59 +01:00
parent 99a2c14fe6
commit 2b3db4b383
5 changed files with 37 additions and 18 deletions
--- a/app/hr/app_defines.py
+++ b/app/hr/app_defines.py
@@ -22,6 +22,17 @@ APPLICATION_STATUS_CHOICES = (
    (APPLICATION_STATUS_FLAGGED, 'Flagged For Review'),
 )
 # Routes that are allowed (Accept/Reject are managed seperately)
 APPLICATION_STATUS_ROUTES = {
    APPLICATION_STATUS_NOTSUBMITTED: [APPLICATION_STATUS_AWAITINGREVIEW],
    APPLICATION_STATUS_AWAITINGREVIEW: [APPLICATION_STATUS_NOTSUBMITTED, APPLICATION_STATUS_QUERY, APPLICATION_STATUS_FLAGGED],
    APPLICATION_STATUS_REJECTED: [],
    APPLICATION_STATUS_ACCEPTED: [APPLICATION_STATUS_COMPLETED],
    APPLICATION_STATUS_QUERY: [],
    APPLICATION_STATUS_COMPLETED: [],
    APPLICATION_STATUS_FLAGGED: [],
 }
 # Audit Event Type Codes
 AUDIT_EVENT_STATUSCHANGE = 0
 AUDIT_EVENT_NOTE = 1
--- a/app/hr/models.py
+++ b/app/hr/models.py
@@ -21,21 +21,26 @@ class Application(models.Model):
                                     help_text="Current status of this application request.")
    application_date = models.DateTimeField(auto_now_add=True, verbose_name="Created Date")
    c = 0
    @models.permalink
    def get_absolute_url(self):
        return ('hr.views.view_application', [self.id])
    @property
    def blacklisted(self):
-        from hr.utils import blacklist_values
+        if not hasattr(self, '_blflag'):
-        if len(self.blacklist_values) > 0:
+            if len([x for x in self.blacklist_values if x.level == BLACKLIST_LEVEL_BLACKLIST]) > 0:
-            return True
+                self._blflag = True
-        return False
+            self._blflag = False
        return self._blflag
    @property
    def blacklist_values(self):
-        from hr.utils import blacklist_values
+        if not hasattr(self, '_blcache'):
-        return blacklist_values(self.user)
+            from hr.utils import blacklist_values
            self._blcache = blacklist_values(self.user)
        return self._blcache
    @property
    def last_action(self):
@@ -51,11 +56,7 @@ class Application(models.Model):
    def save(self, *args, **kwargs):
-        user = None
+        user = kwargs.pop('user', None)
        if 'user' in kwargs:
            user = kwargs['user']
            del kwargs['user']
        try:
            old_instance = Application.objects.get(id=self.id)
            if not (old_instance.status == int(self.status)):
--- a/app/hr/templates/hr/applications/view.html
+++ b/app/hr/templates/hr/applications/view.html
@@ -67,7 +67,7 @@
 {% endif %}
 {% if hrstaff %}
-{% if app.blacklisted %}
+{% if app.blacklist_values %}
 <h3>Blacklist Triggers</h3>
 <table>
 <tr><th>Blacklist Type</th><th>Blacklisted Value</th><th>Level</th><th>Reason</th><th>Source</th></tr>
--- a/app/hr/utils.py
+++ b/app/hr/utils.py
@@ -40,21 +40,21 @@ def blacklist_values(user):
    blacklist.extend(bl_items.filter(type=BLACKLIST_TYPE_AUTH, value=user.username.lower()))
    # Check EVE Related blacklists
-    evechars = EVEPlayerCharacter.objects.filter(eveaccount__user=user).select_related('corporation__alliance')
+    evechars = EVEPlayerCharacter.objects.filter(eveaccount__user=user).select_related('corporation', 'corporation__alliance')
    # Check Character blacklists
    characters = evechars.values_list('name', flat=True)
-    objs = bl_items.filter(type=BLACKLIST_TYPE_CHARACTER, value__in=characters)
+    objs = bl_items.filter(type=BLACKLIST_TYPE_CHARACTER, value__iregex=r'(' + '|'.join(characters) + ')')
    blacklist.extend(objs)
    # Check Corporation blacklists
    corporations = evechars.values_list('corporation__name', flat=True)
-    objs = bl_items.filter(type=BLACKLIST_TYPE_CORPORATION, value__in=corporations)
+    objs = bl_items.filter(type=BLACKLIST_TYPE_CORPORATION, value__iregex=r'(' + '|'.join(corporations) + ')')
    blacklist.extend(objs)
    # Check Alliance blacklists
    alliances = evechars.values_list('corporation__alliance__name', flat=True)
-    objs = bl_items.filter(type=BLACKLIST_TYPE_ALLIANCE, value__in=alliances)
+    objs = bl_items.filter(type=BLACKLIST_TYPE_ALLIANCE, value__iregex=r'(' + '|'.join([x for x in alliances if x]) + ')')
    blacklist.extend(objs)
    # Check API Key blacklists
--- a/app/hr/views.py
+++ b/app/hr/views.py
@@ -187,12 +187,14 @@ def update_application(request, applicationid, status):
    app = get_object_or_404(Application, id=applicationid)
-    if not app.status in [APPLICATION_STATUS_REJECTED, APPLICATION_STATUS_COMPLETED]:
+    if int(status) in APPLICATION_STATUS_ROUTES[app.status]:
        perm = check_permissions(request.user, app)
        if perm == HR_ADMIN or (perm == HR_VIEWONLY and int(status) <= 1):
            if not app.status == status:
                app.status = status
                app.save(user=request.user)
    else:
         messages.add_message(request, messages.ERROR, "Invalid status change request")
    return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
@login_required
@@ -270,6 +272,11 @@ def accept_application(request, applicationid):
    if check_permissions(request.user) == HR_ADMIN and request.user.has_perm('hr.can_accept'):
        app = Application.objects.get(id=applicationid)
        if app.blacklisted:
            messages.add_message(request, messages.INFO, "This application has one or more blacklist entries and cannot be accepted.")
            return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
        if request.method == 'POST':
            if check_permissions(request.user, app) == HR_ADMIN:
                obj = Audit(application=app, user=request.user, event=AUDIT_EVENT_ACCEPTED)
@@ -279,7 +286,7 @@ def accept_application(request, applicationid):
                    obj.application.status = APPLICATION_STATUS_ACCEPTED
                    obj.application.save(user=request.user)
                    send_message(obj.application, 'accepted', note=obj.text)
-                    return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
+            return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
        form = AdminNoteForm(application=app)
        return render_to_response('hr/applications/accept.html', locals(), context_instance=RequestContext(request))