Merge branch 'main' into render-panels-rework

Author: matthiask

.github/workflows/test.yml

@@ -216,4 +216,4 @@ jobs:
         python -m pip install --upgrade tox
 
     - name: Test with tox
-      run: tox -e docs,style,readme
+      run: tox -e docs,style,packaging

.gitignore

@@ -1,6 +1,7 @@
 *.pyc
 *.DS_Store
 *~
+.idea
 build
 .coverage
 dist

Makefile

@@ -8,13 +8,15 @@ style: package-lock.json
 	flake8
 	npx eslint --ignore-path .gitignore --fix .
 	npx prettier --ignore-path .gitignore --write $(PRETTIER_TARGETS)
+	! grep -r '\(style=\|onclick=\|<script>\|<style\)' debug_toolbar/templates/
 
 style_check: package-lock.json
 	isort -c .
 	black --target-version=py36 --check .
 	flake8
 	npx eslint --ignore-path .gitignore .
 	npx prettier --ignore-path .gitignore --check $(PRETTIER_TARGETS)
+	! grep -r '\(style=\|onclick=\|<script>\|<style\)' debug_toolbar/templates/
 
 example:
 	python example/manage.py migrate --noinput

README.rst

@@ -34,7 +34,7 @@ Here's a screenshot of the toolbar in action:
 In addition to the built-in panels, a number of third-party panels are
 contributed by the community.
 
-The current stable version of the Debug Toolbar is 3.2. It works on
+The current stable version of the Debug Toolbar is 3.2.1. It works on
 Django ≥ 2.2.
 
 Documentation, including installation and configuration instructions, is

debug_toolbar/__init__.py

@@ -1,12 +1,15 @@
+import django
+
 __all__ = ["VERSION"]
 
 
 # Do not use pkg_resources to find the version but set it here directly!
 # see issue #1446
-VERSION = "3.2"
+VERSION = "3.2.1"
 
 # Code that discovers files or modules in INSTALLED_APPS imports this module.
 
 urls = "debug_toolbar.toolbar", "djdt"
 
-default_app_config = "debug_toolbar.apps.DebugToolbarConfig"
+if django.VERSION < (3, 2):
+    default_app_config = "debug_toolbar.apps.DebugToolbarConfig"

debug_toolbar/decorators.py

@@ -1,6 +1,6 @@
 import functools
 
-from django.http import Http404
+from django.http import Http404, HttpResponseBadRequest
 
 
 def require_show_toolbar(view):
@@ -15,3 +15,21 @@ def inner(request, *args, **kwargs):
         return view(request, *args, **kwargs)
 
     return inner
+
+
+def signed_data_view(view):
+    """Decorator that handles unpacking a signed data form"""
+
+    @functools.wraps(view)
+    def inner(request, *args, **kwargs):
+        from debug_toolbar.forms import SignedDataForm
+
+        data = request.GET if request.method == "GET" else request.POST
+        signed_form = SignedDataForm(data)
+        if signed_form.is_valid():
+            return view(
+                request, *args, verified_data=signed_form.verified_data(), **kwargs
+            )
+        return HttpResponseBadRequest("Invalid signature")
+
+    return inner

debug_toolbar/forms.py

@@ -0,0 +1,53 @@
+import json
+
+from django import forms
+from django.core import signing
+from django.core.exceptions import ValidationError
+from django.utils.encoding import force_str
+
+
+class SignedDataForm(forms.Form):
+    """Helper form that wraps a form to validate its contents on post.
+
+    class PanelForm(forms.Form):
+        # fields
+
+    On render:
+        form = SignedDataForm(initial=PanelForm(initial=data).initial)
+
+    On POST:
+        signed_form = SignedDataForm(request.POST)
+        if signed_form.is_valid():
+            panel_form = PanelForm(signed_form.verified_data)
+            if panel_form.is_valid():
+                # Success
+    Or wrap the FBV with ``debug_toolbar.decorators.signed_data_view``
+    """
+
+    salt = "django_debug_toolbar"
+    signed = forms.CharField(required=True, widget=forms.HiddenInput)
+
+    def __init__(self, *args, **kwargs):
+        initial = kwargs.pop("initial", None)
+        if initial:
+            initial = {"signed": self.sign(initial)}
+        super().__init__(*args, initial=initial, **kwargs)
+
+    def clean_signed(self):
+        try:
+            verified = json.loads(
+                signing.Signer(salt=self.salt).unsign(self.cleaned_data["signed"])
+            )
+            return verified
+        except signing.BadSignature:
+            raise ValidationError("Bad signature")
+
+    def verified_data(self):
+        return self.is_valid() and self.cleaned_data["signed"]
+
+    @classmethod
+    def sign(cls, data):
+        items = sorted(data.items(), key=lambda item: item[0])
+        return signing.Signer(salt=cls.salt).sign(
+            json.dumps({key: force_str(value) for key, value in items})
+        )