LavanyaI'm sorry I don't think I can help with your problem directly but I can
help indirectly.You have "hijacked" this "thread" which means the subject line
does not apply to what you are asking.Only people interested in the actual
subject line will look at your message. That cuts out all the people who might
be able to help.Your best approach to getting help is to start a new thread
with an interesting subject line summarising what you are looking for.Good luck
with your questionCheersMike--(Unsigned mail from my phone)
-------- Original message --------From: lavanya gowda
<lavanyagowda1...@gmail.com> Date: 21/5/22 13:43 (GMT+10:00) To: Django users
<django-users@googlegroups.com> Subject: Re: How can I work around the Django
3.2.10 cve release Hi mike and jason kindly help me to my query also i have
shared my query in group its emergencymy humble request :-please help me here
i do have some columns called sub_task_name tht should every day update same
perivous task_name but sub_task_value shld not update it shld give option to
user to enter new value same criteria for task_name shld be same perivous
entered but user shld get new updation for this columnscategory =
models.CharField(max_length=500,blank=True, null=True)escalation1 =
models.IntegerField(blank=True, null=True)escalation2 =
models.IntegerField(blank=True, null=True)escalation3 =
models.IntegerField(blank=True, null=True)timethershold =
models.IntegerField(blank=True, null=True)my models.py class
KanbanTask(models.Model):STATUS_LEVEL = ((1, "Done"), (2, "In Progress"), (3,
"On hold"), (4, "Assigned"))regular_task_id =
models.AutoField(primary_key=True)task_name =
models.CharField(max_length=100)task_department_name =
models.CharField(max_length=50, blank=True, null=True)task_type =
models.CharField(max_length=50, blank=True, null=True)members =
JSONField(blank=True, null=True)task_description =
models.CharField(max_length=200, blank=True, null=True)task_files =
models.FileField(upload_to=KanbanRegularTask_doc_directory_path,
max_length=200,blank=True, null=True)task_due_date =
models.DateField(blank=True, null=True)cron = models.CharField(max_length=50,
blank=True, null=True)previous_regular_task_id =
models.PositiveIntegerField(blank=True, null=True)status =
models.IntegerField(choices=STATUS_LEVEL, blank=True)knowledge_center =
models.PositiveIntegerField(blank=True, null=True)created_at =
models.DateTimeField(auto_now=True)updated_at =
models.DateTimeField(blank=True, null=True)category =
models.CharField(max_length=500,blank=True, null=True)escalation1 =
models.IntegerField(blank=True, null=True)escalation2 =
models.IntegerField(blank=True, null=True)escalation3 =
models.IntegerField(blank=True, null=True)timethershold =
models.IntegerField(blank=True, null=True)def __str__(self):return
self.task_namedef KanbanSubTask_doc_directory_path(instance, filename):return
"subtask/%s/%s/%s" %(instance.sub_task_name,instance.sub_task_id,
filename)class KanbanSubTask(models.Model):sub_tasks =
models.ForeignKey(KanbanTask, on_delete=models.CASCADE,
related_name='kanbansub_task_regular', null=True, blank=True)sub_task_id =
models.AutoField(primary_key=True)regular_task_id =
models.PositiveIntegerField(blank=True, null=True)sub_task_name =
models.CharField(max_length=200, blank=True, null=True)sub_task_value =
models.CharField(max_length=200, blank=True, null=True)sub_task_path =
models.FileField(upload_to=KanbanSubTask_doc_directory_path,
max_length=200,blank=True, null=True)created_at =
models.DateTimeField(auto_now=True)updated_at =
models.DateTimeField(blank=True, null=True)value_threshold =
models.FloatField(blank=True, null=True)serilzers.pyclass
KanbanTaskSerializer(serializers.ModelSerializer):class Meta:model =
KanbanTaskfields = '__all__'class
KanbanSubTaskSerializer(serializers.ModelSerializer):class Meta:model =
KanbanSubTaskfields = '__all__'views.py class
KanbanTaskViewSet(viewsets.ModelViewSet):pagination_class = Nonequeryset =
KanbanTask.objects.exclude(Q(status=1)&Q(created_at__lte=now_for_filter.strftime('%Y-%m-%d')))serializer_class
= KanbanTaskSerializer# def update(self, instance, validated_data):#
instance.category = validated_data.get('category', instance.category)#
instance.escalation1 = validated_data.get('escalation1', instance.escalation1)#
instance.escalation2 = validated_data.get('escalation2', instance.escalation2)#
return instance## def create(self, validated_data):# return
Snippet.objects.create(**validated_data)class
KanbanSubTaskViewSet(viewsets.ModelViewSet):pagination_class = Nonequeryset =
KanbanSubTask.objects.all()serializer_class = KanbanSubTaskSerializerdef
partial_update(self, request, *args, **kwargs):instance = self.get_object()data
= request.datatry:kst=
KanbanSubTask.objects.get(sub_tasks=data["sub_tasks"])instance.kst =
sub_tasksexcept KeyError:passinstance.sub_task_id=
request.data.sub_task_id("sub_task_id")instance.sub_task_name =
request.data.get("sub_task_name")instance.sub_task_value =
validated_data.get("sub_task_value")instance.value_threshold =
validated_data.get("value_threshold")instance.save()serializer =
KanbanSubTaskSerializer(instance)serializer.is_valid(raise_exception=True)return
Response(serializer.data)# self.perform_update(serializer)# return
Response(serializer.data)iam hardly trying from few days please guys help me
out On Saturday, May 21, 2022 at 6:35:30 AM UTC+5:30 Mike Dewhirst wrote:
On 20/05/2022 11:21 pm, Jason wrote:
are you using re_path for the url in question?
Thanks for responding Jason, yes! Here are my relevant lines ...
re_path(r"invoice/(?P<pk>\d+)/$",
billing_views.invoice_view, name="invoice_view"),
# no trailing slash or the payment system barfs
re_path(r"success$", billing_views.success_view,
name="success_view"),
# no trailing slash or the payment system barfs
re_path(r"payment$", billing_views.payment_view,
name="payment_view"),
I'm not particularly keen on re because I have to study the docs to
make sense of it every time. If there is an easier way I'll do it!
you can see the backport change here :
https://github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6
I looked at the tests and see they are actually looking for '\n' and
I'm sure none of my urls end that way.
Cheers
mike
On Thursday, May 19, 2022 at
11:14:25 PM UTC-4 Mike Dewhirst wrote:
My
billing (Stripe) mechanism is working right up until Django
3.2.9 -
which is where I'm stumped at the moment.
Django 3.2.10 https://docs.djangoproject.com/en/3.2/releases/3.2.10/
indicate a URL with a trailing newline can bypass
upstream access control based on URL paths.
Sadly, I am not aware of any such upstream access control.
I have tried to repair it with fixid() within change_view()
where
object_id occurs but that doesn't achieve anything.
def fixid(txt):
try:
return str(txt).split("/")[0]
except ValueError:
pass
return txt
How can I fix the following error and move forward to 3.2.13?
Many thanks
Mike
- - - - - - - -
Exception Type: ValueError at
/admin/chemical/chemical/29/change/payment/change/
Exception Value: Field 'id' expected a number but got
'29/change/payment'.
Environment:
Request Method: GET
Request URL:
http://localhost:8088/admin/chemical/chemical/29/change/payment/change/
Django Version: 3.2.13
Python Version: 3.8.3
Installed Applications:
['filebrowser',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.admin',
'django.contrib.admindocs',
'django.contrib.staticfiles',
'django.contrib.sites',
'django.contrib.sitemaps',
'tinymce',
'billing',
'chemical',
'common',
'company',
'credit',
'refer',
'report']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.contrib.admindocs.middleware.XViewMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'pwned_passwords_django.middleware.PwnedPasswordsMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware']
Traceback (most recent call last):
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py",
line 1823, in get_prep_value
return int(value)
The above exception (invalid literal for int() with base 10:
'29/change/payment') was the direct cause of the following
exception:
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\exception.py",
line 47, in inner
response = get_response(request)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\core\handlers\base.py",
line 181, in _get_response
response = wrapped_callback(request, *callback_args,
**callback_kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\options.py",
line 616, in wrapper
return self.admin_site.admin_view(view)(*args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\utils\decorators.py",
line 130, in _wrapped_view
response = view_func(request, *args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\views\decorators\cache.py",
line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\contrib\admin\sites.py",
line 232, in inner
return view(request, *args, **kwargs)
File "D:\Users\mike\envs\xxai\aicis\chemical\admin.py", line
268, in
change_view
chemical = Chemical.objects.get(id=object_id)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\manager.py",
line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 424, in get
clone = self._chain() if self.query.combinator else
self.filter(*args, **kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 941, in filter
return self._filter_or_exclude(False, args, kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 961, in _filter_or_exclude
clone._filter_or_exclude_inplace(negate, args, kwargs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\query.py",
line 968, in _filter_or_exclude_inplace
self._query.add_q(Q(*args, **kwargs))
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py",
line 1416, in add_q
clause, _ = self._add_q(q_object, self.used_aliases)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py",
line 1435, in _add_q
child_clause, needed_inner = self.build_filter(
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py",
line 1370, in build_filter
condition = self.build_lookup(lookups, col, value)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\sql\query.py",
line 1216, in build_lookup
lookup = lookup_class(lhs, rhs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\lookups.py",
line 25, in __init__
self.rhs = self.get_prep_lookup()
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\lookups.py",
line 77, in get_prep_lookup
return self.lhs.output_field.get_prep_value(self.rhs)
File
"D:\Users\mike\envs\xxai\lib\site-packages\django\db\models\fields\__init__.py",
line 1825, in get_prep_value
raise e.__class__(
Exception Type: ValueError at
/admin/chemical/chemical/29/change/payment/change/
Exception Value: Field 'id' expected a number but got
'29/change/payment'.
--
Signed email is an absolute defence against phishing. This
email has
been signed with my private key. If you import my public key
you can
automatically decrypt my signature and be sure it came from
me. Just
ask and I'll send it to you. Your email software can handle
signing.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-users...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/8209a97f-3e62-4902-aec7-a4415c5968f6n%40googlegroups.com.
--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/ffbedb3f-eb28-4df2-beff-e02383235eccn%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/628877d2.1c69fb81.63b28.73e0SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
