Pēteris Caune 7252f2f101

Fix _allow_redirect function to reject absolute URLs ...

This fixes a security issue:
- attacker can crafts a redirect URL to an external site
- attacker gets victim to click on it
- victim logs in
- after login, Healthchecks redirects victim to the external site

The _allow_redirect function now additionally
requires the redirect URL is relative (has no scheme or domain).

2021-08-06 13:34:40 +03:00

..

accounts

Fix _allow_redirect function to reject absolute URLs

2021-08-06 13:34:40 +03:00

api

Add protection against TOTP code reuse

2021-07-30 18:17:21 +03:00

front

Switch from Member.rw to Member.role as the source of truth

2021-07-22 17:16:52 +03:00

lib

Refactor email sending functions to allow customization

2021-08-05 14:13:25 +03:00

payments

Upgrade Django version to 3.2

2021-04-07 11:39:11 +03:00

__init__.py

Initial commit

2015-06-11 22:12:09 +03:00

local_settings.py.example

Simplify: remove djmail and django-ses-backend dependencies.

2017-01-29 11:44:22 +02:00

settings.py

Add Whitenoise and improve README

2021-08-05 18:06:47 +03:00

test.py

feat: add manager role

2021-07-26 12:26:06 +03:00

urls.py

Source formatted with Black

2019-05-15 14:27:50 +03:00

wsgi.py

Initial commit

2015-06-11 22:12:09 +03:00