Compare commits
8 Commits
1af50c45ff
...
46912cff8c
| Author | SHA1 | Date | |
|---|---|---|---|
| 46912cff8c | |||
| 3a89f6d871 | |||
| 048105ef27 | |||
| b579f5fb42 | |||
| db9bd92036 | |||
| 7e89ffb6f1 | |||
| dd6d0fae46 | |||
| e5202d9b2b |
@@ -87,7 +87,7 @@ Die abschnitte App enthält 33 Tests, die Modelle, Utility-Funktionen, Diagram-C
|
||||
|
||||
## dokumente App Tests
|
||||
|
||||
Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, die alle Modelle, Views, URLs und Geschäftslogik abdeckt.
|
||||
Die dokumente App enthält 121 Tests und ist damit die umfassendste Test-Suite, die alle Modelle, Views, URLs, Geschäftslogik und Kommentarfunktionalität mit XSS-Schutz abdeckt.
|
||||
|
||||
### Modell-Tests
|
||||
|
||||
@@ -131,6 +131,14 @@ Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, d
|
||||
- **test_checklistenfrage_str**: Überprüft, dass die String-Repräsentation lange Fragen kürzt
|
||||
- **test_checklistenfrage_related_name**: Testet die umgekehrte Beziehung von Vorgabe
|
||||
|
||||
#### VorgabeCommentModelTest
|
||||
- **test_comment_creation**: Testet die Erstellung von VorgabeComment mit Vorgabe, Benutzer und Text
|
||||
- **test_comment_str**: Überprüft, dass die String-Repräsentation Benutzername und Vorgabennummer enthält
|
||||
- **test_comment_related_name**: Testet die umgekehrte Beziehung von Vorgabe
|
||||
- **test_comment_ordering**: Testet, dass Kommentare nach created_at absteigend sortiert sind (neueste zuerst)
|
||||
- **test_comment_timestamps_auto_update**: Testet, dass sich updated_at ändert, wenn ein Kommentar geändert wird
|
||||
- **test_multiple_users_can_comment**: Testet, dass mehrere Benutzer zur selben Vorgabe kommentieren können
|
||||
|
||||
### Text-Abschnitt-Tests
|
||||
|
||||
#### DokumentTextAbschnitteTest
|
||||
@@ -217,6 +225,40 @@ Die dokumente App enthält 98 Tests und ist damit die umfassendste Test-Suite, d
|
||||
- **test_vorgabe_links**: Testet, dass Vorgaben zu korrekten Admin-Seiten verlinken
|
||||
- **test_back_link**: Testet, dass der Zurück-Link zur Standardübersicht existiert
|
||||
|
||||
### Kommentar-Funktionalität Tests
|
||||
|
||||
#### GetVorgabeCommentsViewTest
|
||||
- **test_get_comments_requires_login**: Testet, dass anonyme Benutzer keine Kommentare sehen können und weitergeleitet werden
|
||||
- **test_regular_user_sees_only_own_comments**: Testet, dass normale Benutzer nur ihre eigenen Kommentare sehen
|
||||
- **test_staff_user_sees_all_comments**: Testet, dass Staff-Benutzer alle Kommentare sehen können
|
||||
- **test_get_comments_returns_404_for_nonexistent_vorgabe**: Testet 404-Antwort für nicht existierende Vorgabe
|
||||
- **test_comments_are_html_escaped**: Testet HTML-Escaping zur Verhinderung von XSS-Angriffen (z.B. `<script>`-Tags)
|
||||
- **test_line_breaks_preserved**: Testet, dass Zeilenumbrüche in `<br>`-Tags umgewandelt werden
|
||||
- **test_security_headers_present**: Testet, dass Content-Security-Policy und X-Content-Type-Options Header gesetzt sind
|
||||
|
||||
#### AddVorgabeCommentViewTest
|
||||
- **test_add_comment_requires_login**: Testet, dass anonyme Benutzer keine Kommentare hinzufügen können
|
||||
- **test_add_comment_requires_post**: Testet, dass nur POST-Methode erlaubt ist (405 für GET)
|
||||
- **test_add_comment_success**: Testet erfolgreiche Kommentarerstellung mit gültigen Daten
|
||||
- **test_add_empty_comment_fails**: Testet, dass leere Kommentare mit 400-Fehler abgelehnt werden
|
||||
- **test_add_whitespace_only_comment_fails**: Testet, dass Kommentare nur mit Leerzeichen abgelehnt werden
|
||||
- **test_add_too_long_comment_fails**: Testet, dass Kommentare über 2000 Zeichen abgelehnt werden
|
||||
- **test_add_comment_xss_script_tag_blocked**: Testet, dass Kommentare mit `<script>`-Tags blockiert werden
|
||||
- **test_add_comment_xss_javascript_protocol_blocked**: Testet, dass `javascript:`-Protokoll blockiert wird
|
||||
- **test_add_comment_xss_event_handlers_blocked**: Testet, dass Event-Handler (onload, onerror, onclick, onmouseover) blockiert werden
|
||||
- **test_add_comment_invalid_json_fails**: Testet, dass ungültige JSON-Payloads abgelehnt werden
|
||||
- **test_add_comment_nonexistent_vorgabe_fails**: Testet 404-Antwort für nicht existierende Vorgabe
|
||||
- **test_add_comment_security_headers**: Testet, dass Sicherheits-Header in Antworten vorhanden sind
|
||||
|
||||
#### DeleteVorgabeCommentViewTest
|
||||
- **test_delete_comment_requires_login**: Testet, dass anonyme Benutzer keine Kommentare löschen können
|
||||
- **test_delete_comment_requires_post**: Testet, dass nur POST-Methode erlaubt ist (405 für GET)
|
||||
- **test_user_can_delete_own_comment**: Testet, dass Benutzer ihre eigenen Kommentare löschen können
|
||||
- **test_user_cannot_delete_other_users_comment**: Testet, dass Benutzer keine Kommentare anderer löschen können (403 Forbidden)
|
||||
- **test_staff_can_delete_any_comment**: Testet, dass Staff-Benutzer jeden Kommentar löschen können
|
||||
- **test_delete_nonexistent_comment_returns_404**: Testet 404-Antwort für nicht existierenden Kommentar
|
||||
- **test_delete_comment_security_headers**: Testet, dass Sicherheits-Header in Antworten vorhanden sind
|
||||
|
||||
---
|
||||
|
||||
## pages App Tests
|
||||
@@ -333,9 +375,17 @@ Die stichworte App enthält 18 Tests, die Schlüsselwortmodelle und ihre Sortier
|
||||
|
||||
## Test-Statistiken
|
||||
|
||||
- **Gesamt-Tests**: 207
|
||||
- **Gesamt-Tests**: 230
|
||||
- **abschnitte**: 33 Tests (einschließlich XSS-Prävention)
|
||||
- **dokumente**: 116 Tests (98 in tests.py + 9 in test_json.py + 9 JSON-Tests in Haupt-tests.py)
|
||||
- **dokumente**: 121 Tests (einschließlich Kommentarfunktionalität mit XSS-Schutz)
|
||||
- Modell-Tests: 44 Tests
|
||||
- View-Tests: 7 Tests
|
||||
- URL-Pattern-Tests: 4 Tests
|
||||
- Sanity-Check-Tests: 16 Tests
|
||||
- Management-Befehl-Tests: 2 Tests
|
||||
- JSON-Export-Tests: 9 Tests
|
||||
- Unvollständige-Vorgaben-Tests: 15 Tests
|
||||
- Kommentar-Tests: 24 Tests (6 Modell + 18 View-Tests)
|
||||
- **pages**: 4 Tests
|
||||
- **referenzen**: 18 Tests
|
||||
- **rollen**: 18 Tests
|
||||
@@ -349,7 +399,17 @@ Die stichworte App enthält 18 Tests, die Schlüsselwortmodelle und ihre Sortier
|
||||
4. **Utility-Funktionen**: Textverarbeitung, Caching, Formatierung
|
||||
5. **Management-Befehle**: CLI-Schnittstelle und Ausgabeverarbeitung
|
||||
6. **Integration**: App-übergreifende Funktionalität und Datenfluss
|
||||
7. **Sicherheit**: XSS-Prävention durch HTML-Bereinigung beim Rendern von Inhalten
|
||||
7. **Sicherheit**:
|
||||
- XSS-Prävention durch HTML-Bereinigung beim Rendern von Inhalten
|
||||
- XSS-Angriffsverhinderung im Kommentarsystem (Script-Tags, javascript:-Protokoll, Event-Handler)
|
||||
- Eingabevalidierung und -bereinigung
|
||||
- Autorisierungsprüfungen (Staff vs. normale Benutzer)
|
||||
- Sicherheits-Header (Content-Security-Policy, X-Content-Type-Options)
|
||||
8. **Kommentar-Funktionalität**:
|
||||
- CRUD-Operationen (Create, Read, Delete)
|
||||
- Benutzerberechtigungen und -besitz
|
||||
- HTML-Escaping und Erhalt von Zeilenumbrüchen
|
||||
- Verhinderung mehrerer XSS-Angriffsvektoren
|
||||
|
||||
## Ausführen der Tests
|
||||
|
||||
|
||||
@@ -87,7 +87,7 @@ The abschnitte app contains 33 tests covering models, utility functions, diagram
|
||||
|
||||
## dokumente App Tests
|
||||
|
||||
The dokumente app contains 98 tests, making it the most comprehensive test suite, covering all models, views, URLs, and business logic.
|
||||
The dokumente app contains 121 tests, making it the most comprehensive test suite, covering all models, views, URLs, business logic, and comment functionality with XSS protection.
|
||||
|
||||
### Model Tests
|
||||
|
||||
@@ -131,6 +131,14 @@ The dokumente app contains 98 tests, making it the most comprehensive test suite
|
||||
- **test_checklistenfrage_str**: Verifies string representation truncates long questions
|
||||
- **test_checklistenfrage_related_name**: Tests the reverse relationship from Vorgabe
|
||||
|
||||
#### VorgabeCommentModelTest
|
||||
- **test_comment_creation**: Tests VorgabeComment creation with vorgabe, user, and text
|
||||
- **test_comment_str**: Verifies string representation includes username and Vorgabennummer
|
||||
- **test_comment_related_name**: Tests the reverse relationship from Vorgabe
|
||||
- **test_comment_ordering**: Tests comments are ordered by created_at descending (newest first)
|
||||
- **test_comment_timestamps_auto_update**: Tests that updated_at changes when comment is modified
|
||||
- **test_multiple_users_can_comment**: Tests multiple users can comment on same Vorgabe
|
||||
|
||||
### Text Abschnitt Tests
|
||||
|
||||
#### DokumentTextAbschnitteTest
|
||||
@@ -217,6 +225,40 @@ The dokumente app contains 98 tests, making it the most comprehensive test suite
|
||||
- **test_vorgabe_links**: Tests Vorgaben link to correct admin pages
|
||||
- **test_back_link**: Tests back link to standard list exists
|
||||
|
||||
### Comment Functionality Tests
|
||||
|
||||
#### GetVorgabeCommentsViewTest
|
||||
- **test_get_comments_requires_login**: Tests anonymous users cannot view comments and are redirected
|
||||
- **test_regular_user_sees_only_own_comments**: Tests regular users only see their own comments
|
||||
- **test_staff_user_sees_all_comments**: Tests staff users can see all comments
|
||||
- **test_get_comments_returns_404_for_nonexistent_vorgabe**: Tests 404 response for non-existent Vorgabe
|
||||
- **test_comments_are_html_escaped**: Tests HTML escaping prevents XSS attacks (e.g., `<script>` tags)
|
||||
- **test_line_breaks_preserved**: Tests line breaks are converted to `<br>` tags
|
||||
- **test_security_headers_present**: Tests Content-Security-Policy and X-Content-Type-Options headers are set
|
||||
|
||||
#### AddVorgabeCommentViewTest
|
||||
- **test_add_comment_requires_login**: Tests anonymous users cannot add comments
|
||||
- **test_add_comment_requires_post**: Tests only POST method is allowed (405 for GET)
|
||||
- **test_add_comment_success**: Tests successful comment creation with valid data
|
||||
- **test_add_empty_comment_fails**: Tests empty comments are rejected with 400 error
|
||||
- **test_add_whitespace_only_comment_fails**: Tests whitespace-only comments are rejected
|
||||
- **test_add_too_long_comment_fails**: Tests comments exceeding 2000 characters are rejected
|
||||
- **test_add_comment_xss_script_tag_blocked**: Tests comments with `<script>` tags are blocked
|
||||
- **test_add_comment_xss_javascript_protocol_blocked**: Tests `javascript:` protocol is blocked
|
||||
- **test_add_comment_xss_event_handlers_blocked**: Tests event handlers (onload, onerror, onclick, onmouseover) are blocked
|
||||
- **test_add_comment_invalid_json_fails**: Tests invalid JSON payloads are rejected
|
||||
- **test_add_comment_nonexistent_vorgabe_fails**: Tests 404 response for non-existent Vorgabe
|
||||
- **test_add_comment_security_headers**: Tests security headers are present in responses
|
||||
|
||||
#### DeleteVorgabeCommentViewTest
|
||||
- **test_delete_comment_requires_login**: Tests anonymous users cannot delete comments
|
||||
- **test_delete_comment_requires_post**: Tests only POST method is allowed (405 for GET)
|
||||
- **test_user_can_delete_own_comment**: Tests users can delete their own comments
|
||||
- **test_user_cannot_delete_other_users_comment**: Tests users cannot delete others' comments (403 Forbidden)
|
||||
- **test_staff_can_delete_any_comment**: Tests staff users can delete any comment
|
||||
- **test_delete_nonexistent_comment_returns_404**: Tests 404 response for non-existent comment
|
||||
- **test_delete_comment_security_headers**: Tests security headers are present in responses
|
||||
|
||||
---
|
||||
|
||||
## pages App Tests
|
||||
@@ -333,9 +375,17 @@ The stichworte app contains 18 tests covering keyword models and their ordering.
|
||||
|
||||
## Test Statistics
|
||||
|
||||
- **Total Tests**: 207
|
||||
- **Total Tests**: 230
|
||||
- **abschnitte**: 33 tests (including XSS prevention)
|
||||
- **dokumente**: 116 tests (98 in tests.py + 9 in test_json.py + 9 JSON tests in main tests.py)
|
||||
- **dokumente**: 121 tests (including comment functionality with XSS protection)
|
||||
- Model tests: 44 tests
|
||||
- View tests: 7 tests
|
||||
- URL pattern tests: 4 tests
|
||||
- Sanity check tests: 16 tests
|
||||
- Management command tests: 2 tests
|
||||
- JSON export tests: 9 tests
|
||||
- Incomplete Vorgaben tests: 15 tests
|
||||
- Comment tests: 24 tests (6 model + 18 view tests)
|
||||
- **pages**: 4 tests
|
||||
- **referenzen**: 18 tests
|
||||
- **rollen**: 18 tests
|
||||
@@ -349,7 +399,17 @@ The stichworte app contains 18 tests covering keyword models and their ordering.
|
||||
4. **Utility Functions**: Text processing, caching, formatting
|
||||
5. **Management Commands**: CLI interface and output handling
|
||||
6. **Integration**: Cross-app functionality and data flow
|
||||
7. **Security**: XSS prevention through HTML sanitization in content rendering
|
||||
7. **Security**:
|
||||
- XSS prevention through HTML sanitization in content rendering
|
||||
- XSS attack prevention in comment system (script tags, javascript: protocol, event handlers)
|
||||
- Input validation and sanitization
|
||||
- Authorization checks (staff vs. regular users)
|
||||
- Security headers (Content-Security-Policy, X-Content-Type-Options)
|
||||
8. **Comment Functionality**:
|
||||
- CRUD operations (Create, Read, Delete)
|
||||
- User permissions and ownership
|
||||
- HTML escaping and line break preservation
|
||||
- Multiple XSS attack vector prevention
|
||||
|
||||
## Running the Tests
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@ spec:
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
initContainers:
|
||||
- name: loader
|
||||
image: git.baumann.gr/adebaumann/vui-data-loader:0.9
|
||||
image: git.baumann.gr/adebaumann/vui-data-loader:0.10
|
||||
command: [ "sh","-c","cp -n preload/preload.sqlite3 /data/db.sqlite3; chown -R 999:999 /data; ls -la /data; sleep 10; exit 0" ]
|
||||
volumeMounts:
|
||||
- name: data
|
||||
|
||||
Binary file not shown.
BIN
data/db.sqlite3
BIN
data/db.sqlite3
Binary file not shown.
@@ -293,6 +293,6 @@ class VorgabeAdmin(NestedModelAdmin):
|
||||
|
||||
admin.site.register(Checklistenfrage)
|
||||
admin.site.register(Dokumententyp)
|
||||
#admin.site.register(Person)
|
||||
admin.site.register(VorgabeComment)
|
||||
|
||||
#admin.site.register(Changelog)
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
# Generated by Django 5.2.5 on 2025-11-27 22:02
|
||||
|
||||
import django.db.models.deletion
|
||||
from django.conf import settings
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('dokumente', '0009_alter_vorgabe_options_vorgabe_order'),
|
||||
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='VorgabenTable',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Vorgabe (Tabellenansicht)',
|
||||
'verbose_name_plural': 'Vorgaben (Tabellenansicht)',
|
||||
'proxy': True,
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('dokumente.vorgabe',),
|
||||
),
|
||||
migrations.AlterModelOptions(
|
||||
name='person',
|
||||
options={'ordering': ['name'], 'verbose_name_plural': 'Personen'},
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='VorgabeComment',
|
||||
fields=[
|
||||
('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
|
||||
('text', models.TextField()),
|
||||
('created_at', models.DateTimeField(auto_now_add=True)),
|
||||
('updated_at', models.DateTimeField(auto_now=True)),
|
||||
('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
|
||||
('vorgabe', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='comments', to='dokumente.vorgabe')),
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Vorgabe-Kommentar',
|
||||
'verbose_name_plural': 'Vorgabe-Kommentare',
|
||||
'ordering': ['-created_at'],
|
||||
},
|
||||
),
|
||||
]
|
||||
@@ -1,5 +1,6 @@
|
||||
from django.db import models
|
||||
from mptt.models import MPTTModel, TreeForeignKey
|
||||
from django.contrib.auth.models import User
|
||||
from abschnitte.models import Textabschnitt
|
||||
from stichworte.models import Stichwort
|
||||
from referenzen.models import Referenz
|
||||
@@ -261,3 +262,19 @@ class Changelog(models.Model):
|
||||
class Meta:
|
||||
verbose_name_plural="Changelog"
|
||||
verbose_name="Changelog-Eintrag"
|
||||
|
||||
|
||||
class VorgabeComment(models.Model):
|
||||
vorgabe = models.ForeignKey(Vorgabe, on_delete=models.CASCADE, related_name='comments')
|
||||
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
||||
text = models.TextField()
|
||||
created_at = models.DateTimeField(auto_now_add=True)
|
||||
updated_at = models.DateTimeField(auto_now=True)
|
||||
|
||||
class Meta:
|
||||
verbose_name = "Vorgabe-Kommentar"
|
||||
verbose_name_plural = "Vorgabe-Kommentare"
|
||||
ordering = ['-created_at']
|
||||
|
||||
def __str__(self):
|
||||
return f"Kommentar von {self.user.username} zu {self.vorgabe.Vorgabennummer()}"
|
||||
|
||||
@@ -105,13 +105,13 @@
|
||||
{% else %}
|
||||
<div class="alert alert-success" role="alert">
|
||||
<h4 class="alert-heading">
|
||||
<i class="fas fa-check-circle"></i> Alle Vorgaben sind vollständig!
|
||||
<span class="emoji-icon">✅</span> Alle Vorgaben sind vollständig!
|
||||
</h4>
|
||||
<p>Alle Vorgaben haben Referenzen, Stichworte, Text und Checklistenfragen.</p>
|
||||
<hr>
|
||||
<p class="mb-0">
|
||||
<a href="{% url 'standard_list' %}" class="btn btn-primary">
|
||||
<i class="fas fa-list"></i> Zurück zur Übersicht
|
||||
<span class="emoji-icon">📋</span> Zurück zur Übersicht
|
||||
</a>
|
||||
</p>
|
||||
</div>
|
||||
@@ -119,7 +119,7 @@
|
||||
|
||||
<div class="mt-3">
|
||||
<a href="{% url 'standard_list' %}" class="btn btn-secondary">
|
||||
<i class="fas fa-arrow-left"></i> Zurück zur Übersicht
|
||||
<span class="emoji-icon">←</span> Zurück zur Übersicht
|
||||
</a>
|
||||
</div>
|
||||
|
||||
|
||||
@@ -145,6 +145,20 @@
|
||||
{% endif %}
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<!-- Comment Button -->
|
||||
{% if user.is_authenticated %}
|
||||
<div class="mt-3 text-right">
|
||||
<button class="btn btn-sm btn-outline-primary comment-btn"
|
||||
data-vorgabe-id="{{ vorgabe.id }}"
|
||||
data-vorgabe-nummer="{{ vorgabe.Vorgabennummer }}">
|
||||
<span class="emoji-icon">💬</span> Kommentare
|
||||
{% if vorgabe.comment_count > 0 %}
|
||||
<span class="comment-count">{{ vorgabe.comment_count }}</span>
|
||||
{% endif %}
|
||||
</button>
|
||||
</div>
|
||||
{% endif %}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
@@ -176,4 +190,210 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Comment Modal -->
|
||||
<div class="modal fade" id="commentModal" tabindex="-1" role="dialog" aria-labelledby="commentModalLabel" aria-hidden="true">
|
||||
<div class="modal-dialog modal-lg" role="document">
|
||||
<div class="modal-content">
|
||||
<div class="modal-header">
|
||||
<h5 class="modal-title" id="commentModalLabel">Kommentare für <span id="modalVorgabeNummer"></span></h5>
|
||||
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
|
||||
<span aria-hidden="true">×</span>
|
||||
</button>
|
||||
</div>
|
||||
<div class="modal-body">
|
||||
<div id="commentsContainer">
|
||||
<!-- Comments will be loaded here -->
|
||||
</div>
|
||||
|
||||
<!-- Add Comment Form -->
|
||||
<div class="mt-4">
|
||||
<h6>Neuen Kommentar hinzufügen:</h6>
|
||||
<textarea id="newCommentText" class="form-control" rows="3" placeholder="Ihr Kommentar..."></textarea>
|
||||
<button id="addCommentBtn" class="btn btn-primary btn-sm mt-2">Kommentar hinzufügen</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- JavaScript for Comments -->
|
||||
<script>
|
||||
// Content Security Policy for comment system
|
||||
document.addEventListener('DOMContentLoaded', function() {
|
||||
// Prevent inline script execution in dynamically loaded content
|
||||
const commentsContainer = document.getElementById('commentsContainer');
|
||||
if (commentsContainer) {
|
||||
// Use DOMPurify-like approach - only allow safe HTML
|
||||
const allowedTags = ['br', 'small', 'div', 'span', 'button'];
|
||||
const allowedAttributes = ['class', 'data-comment-id', 'aria-hidden'];
|
||||
|
||||
// Monitor for any script injection attempts
|
||||
const observer = new MutationObserver(function(mutations) {
|
||||
mutations.forEach(function(mutation) {
|
||||
mutation.addedNodes.forEach(function(node) {
|
||||
if (node.nodeType === 1) { // Element node
|
||||
const tagName = node.tagName.toLowerCase();
|
||||
if (tagName === 'script') {
|
||||
console.warn('Script injection attempt blocked');
|
||||
node.parentNode.removeChild(node);
|
||||
}
|
||||
}
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
observer.observe(commentsContainer, {
|
||||
childList: true,
|
||||
subtree: true
|
||||
});
|
||||
}
|
||||
});
|
||||
document.addEventListener('DOMContentLoaded', function() {
|
||||
let currentVorgabeId = null;
|
||||
let currentVorgabeNummer = null;
|
||||
|
||||
// Comment button click handler
|
||||
document.querySelectorAll('.comment-btn').forEach(btn => {
|
||||
btn.addEventListener('click', function() {
|
||||
currentVorgabeId = this.dataset.vorgabeId;
|
||||
currentVorgabeNummer = this.dataset.vorgabeNummer;
|
||||
|
||||
document.getElementById('modalVorgabeNummer').textContent = currentVorgabeNummer;
|
||||
document.getElementById('newCommentText').value = '';
|
||||
|
||||
loadComments();
|
||||
$('#commentModal').modal('show');
|
||||
});
|
||||
});
|
||||
|
||||
// Load comments function
|
||||
function loadComments() {
|
||||
fetch(`/dokumente/comments/${currentVorgabeId}/`)
|
||||
.then(response => response.json())
|
||||
.then(data => {
|
||||
renderComments(data.comments);
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error loading comments:', error);
|
||||
document.getElementById('commentsContainer').innerHTML =
|
||||
'<div class="alert alert-danger">Fehler beim Laden der Kommentare</div>';
|
||||
});
|
||||
}
|
||||
|
||||
// Render comments function
|
||||
function renderComments(comments) {
|
||||
const container = document.getElementById('commentsContainer');
|
||||
|
||||
if (comments.length === 0) {
|
||||
container.innerHTML = '<p class="text-muted">Noch keine Kommentare vorhanden.</p>';
|
||||
return;
|
||||
}
|
||||
|
||||
let html = '';
|
||||
comments.forEach(comment => {
|
||||
const canDelete = comment.is_own || {% if user.is_authenticated %}'{{ user.is_staff|yesno:"true,false" }}'{% else %}'false'{% endif %} === 'true';
|
||||
html += `
|
||||
<div class="comment-item border-bottom pb-2 mb-2">
|
||||
<div class="d-flex justify-content-between align-items-start">
|
||||
<div class="flex-grow-1">
|
||||
<strong>${comment.user}</strong>
|
||||
<small class="text-muted">(${comment.created_at})</small>
|
||||
${comment.updated_at !== comment.created_at ? `<small class="text-muted">(bearbeitet: ${comment.updated_at})</small>` : ''}
|
||||
<div class="mt-1">${comment.text}</div>
|
||||
</div>
|
||||
${canDelete ? `
|
||||
<button class="btn btn-sm btn-outline-danger ml-2 delete-comment-btn" data-comment-id="${comment.id}">
|
||||
<span aria-hidden="true">×</span>
|
||||
</button>
|
||||
` : ''}
|
||||
</div>
|
||||
</div>
|
||||
`;
|
||||
});
|
||||
|
||||
container.innerHTML = html;
|
||||
|
||||
// Add delete handlers
|
||||
document.querySelectorAll('.delete-comment-btn').forEach(btn => {
|
||||
btn.addEventListener('click', function() {
|
||||
if (confirm('Möchten Sie diesen Kommentar wirklich löschen?')) {
|
||||
deleteComment(this.dataset.commentId);
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
// Add comment function
|
||||
document.getElementById('addCommentBtn').addEventListener('click', function() {
|
||||
const text = document.getElementById('newCommentText').value.trim();
|
||||
|
||||
if (!text) {
|
||||
alert('Bitte geben Sie einen Kommentar ein.');
|
||||
return;
|
||||
}
|
||||
|
||||
fetch(`/dokumente/comments/${currentVorgabeId}/add/`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRFToken': getCookie('csrftoken')
|
||||
},
|
||||
body: JSON.stringify({ text: text })
|
||||
})
|
||||
.then(response => response.json())
|
||||
.then(data => {
|
||||
if (data.success) {
|
||||
document.getElementById('newCommentText').value = '';
|
||||
loadComments();
|
||||
} else {
|
||||
alert('Fehler: ' + (data.error || 'Unbekannter Fehler'));
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error adding comment:', error);
|
||||
alert('Fehler beim Hinzufügen des Kommentars');
|
||||
});
|
||||
});
|
||||
|
||||
// Delete comment function
|
||||
function deleteComment(commentId) {
|
||||
fetch(`/dokumente/comments/delete/${commentId}/`, {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'X-CSRFToken': getCookie('csrftoken')
|
||||
}
|
||||
})
|
||||
.then(response => response.json())
|
||||
.then(data => {
|
||||
if (data.success) {
|
||||
loadComments();
|
||||
} else {
|
||||
alert('Fehler: ' + (data.error || 'Unbekannter Fehler'));
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
console.error('Error deleting comment:', error);
|
||||
alert('Fehler beim Löschen des Kommentars');
|
||||
});
|
||||
}
|
||||
|
||||
// CSRF token helper
|
||||
function getCookie(name) {
|
||||
let cookieValue = null;
|
||||
if (document.cookie && document.cookie !== '') {
|
||||
const cookies = document.cookie.split(';');
|
||||
for (let i = 0; i < cookies.length; i++) {
|
||||
const cookie = cookies[i].trim();
|
||||
if (cookie.substring(0, name.length + 1) === (name + '=')) {
|
||||
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
return cookieValue;
|
||||
}
|
||||
});
|
||||
</script>
|
||||
|
||||
{% endblock %}
|
||||
|
||||
@@ -7,7 +7,7 @@ from io import StringIO
|
||||
from .models import (
|
||||
Dokumententyp, Person, Thema, Dokument, Vorgabe,
|
||||
VorgabeLangtext, VorgabeKurztext, Geltungsbereich,
|
||||
Einleitung, Checklistenfrage, Changelog
|
||||
Einleitung, Checklistenfrage, Changelog, VorgabeComment
|
||||
)
|
||||
from .utils import check_vorgabe_conflicts, date_ranges_intersect, format_conflict_report
|
||||
from abschnitte.models import AbschnittTyp
|
||||
@@ -1506,3 +1506,669 @@ class StandardJSONViewTest(TestCase):
|
||||
# Check that JSON is properly indented (should be formatted)
|
||||
self.assertIn('\n', response.content.decode())
|
||||
self.assertIn(' ', response.content.decode()) # Check for indentation
|
||||
|
||||
|
||||
class VorgabeCommentModelTest(TestCase):
|
||||
"""Test cases for VorgabeComment model"""
|
||||
|
||||
def setUp(self):
|
||||
"""Set up test data for comment tests"""
|
||||
self.user = User.objects.create_user(
|
||||
username='testuser',
|
||||
password='testpass123'
|
||||
)
|
||||
|
||||
self.dokumententyp = Dokumententyp.objects.create(
|
||||
name="Test Typ",
|
||||
verantwortliche_ve="Test VE"
|
||||
)
|
||||
|
||||
self.thema = Thema.objects.create(
|
||||
name="Test Thema"
|
||||
)
|
||||
|
||||
self.dokument = Dokument.objects.create(
|
||||
nummer="COMM-001",
|
||||
dokumententyp=self.dokumententyp,
|
||||
name="Comment Test Document",
|
||||
aktiv=True
|
||||
)
|
||||
|
||||
self.vorgabe = Vorgabe.objects.create(
|
||||
order=1,
|
||||
nummer=1,
|
||||
dokument=self.dokument,
|
||||
thema=self.thema,
|
||||
titel="Test Vorgabe",
|
||||
gueltigkeit_von=date.today()
|
||||
)
|
||||
|
||||
self.comment = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=self.user,
|
||||
text="Dies ist ein Testkommentar"
|
||||
)
|
||||
|
||||
def test_comment_creation(self):
|
||||
"""Test that VorgabeComment is created correctly"""
|
||||
self.assertEqual(self.comment.vorgabe, self.vorgabe)
|
||||
self.assertEqual(self.comment.user, self.user)
|
||||
self.assertEqual(self.comment.text, "Dies ist ein Testkommentar")
|
||||
self.assertIsNotNone(self.comment.created_at)
|
||||
self.assertIsNotNone(self.comment.updated_at)
|
||||
|
||||
def test_comment_str(self):
|
||||
"""Test string representation of VorgabeComment"""
|
||||
expected = f"Kommentar von {self.user.username} zu {self.vorgabe.Vorgabennummer()}"
|
||||
self.assertEqual(str(self.comment), expected)
|
||||
|
||||
def test_comment_related_name(self):
|
||||
"""Test related name works correctly"""
|
||||
self.assertIn(self.comment, self.vorgabe.comments.all())
|
||||
|
||||
def test_comment_ordering(self):
|
||||
"""Test comments are ordered by created_at descending"""
|
||||
comment2 = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=self.user,
|
||||
text="Zweiter Kommentar"
|
||||
)
|
||||
|
||||
comments = list(self.vorgabe.comments.all())
|
||||
self.assertEqual(comments[0], comment2) # Newest first
|
||||
self.assertEqual(comments[1], self.comment)
|
||||
|
||||
def test_comment_timestamps_auto_update(self):
|
||||
"""Test that updated_at changes when comment is modified"""
|
||||
original_updated_at = self.comment.updated_at
|
||||
|
||||
# Wait a tiny bit and update
|
||||
import time
|
||||
time.sleep(0.01)
|
||||
|
||||
self.comment.text = "Updated text"
|
||||
self.comment.save()
|
||||
|
||||
self.assertNotEqual(self.comment.updated_at, original_updated_at)
|
||||
self.assertEqual(self.comment.text, "Updated text")
|
||||
|
||||
def test_multiple_users_can_comment(self):
|
||||
"""Test multiple users can comment on same Vorgabe"""
|
||||
user2 = User.objects.create_user(
|
||||
username='testuser2',
|
||||
password='testpass123'
|
||||
)
|
||||
|
||||
comment2 = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=user2,
|
||||
text="Kommentar von anderem Benutzer"
|
||||
)
|
||||
|
||||
self.assertEqual(self.vorgabe.comments.count(), 2)
|
||||
self.assertIn(self.comment, self.vorgabe.comments.all())
|
||||
self.assertIn(comment2, self.vorgabe.comments.all())
|
||||
|
||||
|
||||
class GetVorgabeCommentsViewTest(TestCase):
|
||||
"""Test cases for get_vorgabe_comments view"""
|
||||
|
||||
def setUp(self):
|
||||
"""Set up test data"""
|
||||
self.client = Client()
|
||||
|
||||
# Create users
|
||||
self.regular_user = User.objects.create_user(
|
||||
username='regularuser',
|
||||
password='testpass123'
|
||||
)
|
||||
|
||||
self.staff_user = User.objects.create_user(
|
||||
username='staffuser',
|
||||
password='testpass123'
|
||||
)
|
||||
self.staff_user.is_staff = True
|
||||
self.staff_user.save()
|
||||
|
||||
self.other_user = User.objects.create_user(
|
||||
username='otheruser',
|
||||
password='testpass123'
|
||||
)
|
||||
|
||||
# Create test data
|
||||
self.dokumententyp = Dokumententyp.objects.create(
|
||||
name="Test Typ",
|
||||
verantwortliche_ve="Test VE"
|
||||
)
|
||||
|
||||
self.thema = Thema.objects.create(name="Test Thema")
|
||||
|
||||
self.dokument = Dokument.objects.create(
|
||||
nummer="COMM-001",
|
||||
dokumententyp=self.dokumententyp,
|
||||
name="Comment Test",
|
||||
aktiv=True
|
||||
)
|
||||
|
||||
self.vorgabe = Vorgabe.objects.create(
|
||||
order=1,
|
||||
nummer=1,
|
||||
dokument=self.dokument,
|
||||
thema=self.thema,
|
||||
titel="Test Vorgabe",
|
||||
gueltigkeit_von=date.today()
|
||||
)
|
||||
|
||||
# Create comments from different users
|
||||
self.comment1 = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=self.regular_user,
|
||||
text="Kommentar von Regular User"
|
||||
)
|
||||
|
||||
self.comment2 = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=self.other_user,
|
||||
text="Kommentar von Other User"
|
||||
)
|
||||
|
||||
def test_get_comments_requires_login(self):
|
||||
"""Test that anonymous users cannot view comments"""
|
||||
url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
# Should redirect to login
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertIn('/login/', response.url)
|
||||
|
||||
def test_regular_user_sees_only_own_comments(self):
|
||||
"""Test that regular users only see their own comments"""
|
||||
self.client.login(username='regularuser', password='testpass123')
|
||||
|
||||
url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(response['Content-Type'], 'application/json')
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
# Should only see their own comment
|
||||
self.assertEqual(len(data['comments']), 1)
|
||||
self.assertEqual(data['comments'][0]['text'], 'Kommentar von Regular User')
|
||||
self.assertEqual(data['comments'][0]['user'], 'regularuser')
|
||||
self.assertTrue(data['comments'][0]['is_own'])
|
||||
|
||||
def test_staff_user_sees_all_comments(self):
|
||||
"""Test that staff users see all comments"""
|
||||
self.client.login(username='staffuser', password='testpass123')
|
||||
|
||||
url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
# Should see all comments
|
||||
self.assertEqual(len(data['comments']), 2)
|
||||
usernames = [c['user'] for c in data['comments']]
|
||||
self.assertIn('regularuser', usernames)
|
||||
self.assertIn('otheruser', usernames)
|
||||
|
||||
def test_get_comments_returns_404_for_nonexistent_vorgabe(self):
|
||||
"""Test that requesting comments for non-existent Vorgabe returns 404"""
|
||||
self.client.login(username='regularuser', password='testpass123')
|
||||
|
||||
url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': 99999})
|
||||
response = self.client.get(url)
|
||||
|
||||
self.assertEqual(response.status_code, 404)
|
||||
|
||||
def test_comments_are_html_escaped(self):
|
||||
"""Test that comments are properly HTML escaped"""
|
||||
# Create comment with HTML
|
||||
comment = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=self.regular_user,
|
||||
text="Test <script>alert('xss')</script> comment"
|
||||
)
|
||||
|
||||
self.client.login(username='regularuser', password='testpass123')
|
||||
|
||||
url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
# Find the comment with script tag
|
||||
script_comment = [c for c in data['comments'] if 'script' in c['text'].lower()][0]
|
||||
|
||||
# Should be escaped
|
||||
self.assertIn('<script>', script_comment['text'])
|
||||
self.assertNotIn('<script>', script_comment['text'])
|
||||
|
||||
def test_line_breaks_preserved(self):
|
||||
"""Test that line breaks are converted to <br> tags"""
|
||||
comment = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=self.regular_user,
|
||||
text="Line 1\nLine 2\nLine 3"
|
||||
)
|
||||
|
||||
self.client.login(username='regularuser', password='testpass123')
|
||||
|
||||
url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
# Find the multiline comment
|
||||
multiline_comment = [c for c in data['comments'] if 'Line 1' in c['text']][0]
|
||||
|
||||
# Should contain <br> tags
|
||||
self.assertIn('<br>', multiline_comment['text'])
|
||||
self.assertIn('Line 1<br>Line 2<br>Line 3', multiline_comment['text'])
|
||||
|
||||
def test_security_headers_present(self):
|
||||
"""Test that security headers are present in response"""
|
||||
self.client.login(username='regularuser', password='testpass123')
|
||||
|
||||
url = reverse('get_vorgabe_comments', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
self.assertIn('Content-Security-Policy', response)
|
||||
self.assertIn('X-Content-Type-Options', response)
|
||||
self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
|
||||
|
||||
|
||||
class AddVorgabeCommentViewTest(TestCase):
|
||||
"""Test cases for add_vorgabe_comment view"""
|
||||
|
||||
def setUp(self):
|
||||
"""Set up test data"""
|
||||
self.client = Client()
|
||||
|
||||
self.user = User.objects.create_user(
|
||||
username='testuser',
|
||||
password='testpass123'
|
||||
)
|
||||
|
||||
self.dokumententyp = Dokumententyp.objects.create(
|
||||
name="Test Typ",
|
||||
verantwortliche_ve="Test VE"
|
||||
)
|
||||
|
||||
self.thema = Thema.objects.create(name="Test Thema")
|
||||
|
||||
self.dokument = Dokument.objects.create(
|
||||
nummer="COMM-001",
|
||||
dokumententyp=self.dokumententyp,
|
||||
name="Comment Test",
|
||||
aktiv=True
|
||||
)
|
||||
|
||||
self.vorgabe = Vorgabe.objects.create(
|
||||
order=1,
|
||||
nummer=1,
|
||||
dokument=self.dokument,
|
||||
thema=self.thema,
|
||||
titel="Test Vorgabe",
|
||||
gueltigkeit_von=date.today()
|
||||
)
|
||||
|
||||
def test_add_comment_requires_login(self):
|
||||
"""Test that anonymous users cannot add comments"""
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='{"text": "Test comment"}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
# Should redirect to login
|
||||
self.assertEqual(response.status_code, 302)
|
||||
|
||||
def test_add_comment_requires_post(self):
|
||||
"""Test that only POST method is allowed"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
# Should return method not allowed
|
||||
self.assertEqual(response.status_code, 405)
|
||||
|
||||
def test_add_comment_success(self):
|
||||
"""Test successful comment addition"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='{"text": "Dies ist ein neuer Kommentar"}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertTrue(data['success'])
|
||||
self.assertEqual(data['comment']['text'], 'Dies ist ein neuer Kommentar')
|
||||
self.assertEqual(data['comment']['user'], 'testuser')
|
||||
self.assertTrue(data['comment']['is_own'])
|
||||
|
||||
# Verify comment was created in database
|
||||
self.assertEqual(VorgabeComment.objects.count(), 1)
|
||||
comment = VorgabeComment.objects.first()
|
||||
self.assertEqual(comment.text, 'Dies ist ein neuer Kommentar')
|
||||
self.assertEqual(comment.user, self.user)
|
||||
|
||||
def test_add_empty_comment_fails(self):
|
||||
"""Test that empty comments are rejected"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='{"text": ""}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertIn('error', data)
|
||||
self.assertIn('leer', data['error'].lower())
|
||||
|
||||
# No comment should be created
|
||||
self.assertEqual(VorgabeComment.objects.count(), 0)
|
||||
|
||||
def test_add_whitespace_only_comment_fails(self):
|
||||
"""Test that whitespace-only comments are rejected"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='{"text": " \\n\\t "}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
self.assertEqual(VorgabeComment.objects.count(), 0)
|
||||
|
||||
def test_add_too_long_comment_fails(self):
|
||||
"""Test that comments exceeding max length are rejected"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
long_text = "a" * 2001 # Over the 2000 character limit
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data=f'{{"text": "{long_text}"}}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertIn('error', data)
|
||||
self.assertIn('lang', data['error'].lower())
|
||||
|
||||
# No comment should be created
|
||||
self.assertEqual(VorgabeComment.objects.count(), 0)
|
||||
|
||||
def test_add_comment_xss_script_tag_blocked(self):
|
||||
"""Test that comments with <script> tags are blocked"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='{"text": "Test <script>alert(\\"xss\\")</script> comment"}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertIn('error', data)
|
||||
self.assertIn('ungültige', data['error'].lower())
|
||||
|
||||
# No comment should be created
|
||||
self.assertEqual(VorgabeComment.objects.count(), 0)
|
||||
|
||||
def test_add_comment_xss_javascript_protocol_blocked(self):
|
||||
"""Test that comments with javascript: protocol are blocked"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='{"text": "Click <a href=\\"javascript:alert(1)\\">here</a>"}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
self.assertEqual(VorgabeComment.objects.count(), 0)
|
||||
|
||||
def test_add_comment_xss_event_handlers_blocked(self):
|
||||
"""Test that comments with event handlers are blocked"""
|
||||
dangerous_inputs = [
|
||||
'Test onload=alert(1) comment',
|
||||
'Test onerror=alert(1) comment',
|
||||
'Test onclick=alert(1) comment',
|
||||
'Test onmouseover=alert(1) comment'
|
||||
]
|
||||
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
|
||||
for dangerous_input in dangerous_inputs:
|
||||
response = self.client.post(url,
|
||||
data=f'{{"text": "{dangerous_input}"}}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
|
||||
# No comments should be created
|
||||
self.assertEqual(VorgabeComment.objects.count(), 0)
|
||||
|
||||
def test_add_comment_invalid_json_fails(self):
|
||||
"""Test that invalid JSON is rejected"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='invalid json',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertIn('error', data)
|
||||
self.assertIn('Ungültige', data['error'])
|
||||
|
||||
def test_add_comment_nonexistent_vorgabe_fails(self):
|
||||
"""Test that adding comment to non-existent Vorgabe returns 404"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': 99999})
|
||||
response = self.client.post(url,
|
||||
data='{"text": "Test comment"}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 404)
|
||||
|
||||
def test_add_comment_security_headers(self):
|
||||
"""Test that security headers are present in response"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('add_vorgabe_comment', kwargs={'vorgabe_id': self.vorgabe.id})
|
||||
response = self.client.post(url,
|
||||
data='{"text": "Test comment"}',
|
||||
content_type='application/json'
|
||||
)
|
||||
|
||||
self.assertIn('Content-Security-Policy', response)
|
||||
self.assertIn('X-Content-Type-Options', response)
|
||||
self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
|
||||
|
||||
|
||||
class DeleteVorgabeCommentViewTest(TestCase):
|
||||
"""Test cases for delete_vorgabe_comment view"""
|
||||
|
||||
def setUp(self):
|
||||
"""Set up test data"""
|
||||
self.client = Client()
|
||||
|
||||
self.user = User.objects.create_user(
|
||||
username='testuser',
|
||||
password='testpass123'
|
||||
)
|
||||
|
||||
self.other_user = User.objects.create_user(
|
||||
username='otheruser',
|
||||
password='testpass123'
|
||||
)
|
||||
|
||||
self.staff_user = User.objects.create_user(
|
||||
username='staffuser',
|
||||
password='testpass123'
|
||||
)
|
||||
self.staff_user.is_staff = True
|
||||
self.staff_user.save()
|
||||
|
||||
self.dokumententyp = Dokumententyp.objects.create(
|
||||
name="Test Typ",
|
||||
verantwortliche_ve="Test VE"
|
||||
)
|
||||
|
||||
self.thema = Thema.objects.create(name="Test Thema")
|
||||
|
||||
self.dokument = Dokument.objects.create(
|
||||
nummer="COMM-001",
|
||||
dokumententyp=self.dokumententyp,
|
||||
name="Comment Test",
|
||||
aktiv=True
|
||||
)
|
||||
|
||||
self.vorgabe = Vorgabe.objects.create(
|
||||
order=1,
|
||||
nummer=1,
|
||||
dokument=self.dokument,
|
||||
thema=self.thema,
|
||||
titel="Test Vorgabe",
|
||||
gueltigkeit_von=date.today()
|
||||
)
|
||||
|
||||
self.comment = VorgabeComment.objects.create(
|
||||
vorgabe=self.vorgabe,
|
||||
user=self.user,
|
||||
text="Test comment to delete"
|
||||
)
|
||||
|
||||
def test_delete_comment_requires_login(self):
|
||||
"""Test that anonymous users cannot delete comments"""
|
||||
url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
|
||||
response = self.client.post(url)
|
||||
|
||||
# Should redirect to login
|
||||
self.assertEqual(response.status_code, 302)
|
||||
|
||||
# Comment should still exist
|
||||
self.assertTrue(VorgabeComment.objects.filter(id=self.comment.id).exists())
|
||||
|
||||
def test_delete_comment_requires_post(self):
|
||||
"""Test that only POST method is allowed"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
|
||||
response = self.client.get(url)
|
||||
|
||||
# Should return method not allowed
|
||||
self.assertEqual(response.status_code, 405)
|
||||
|
||||
def test_user_can_delete_own_comment(self):
|
||||
"""Test that users can delete their own comments"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
|
||||
response = self.client.post(url)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertTrue(data['success'])
|
||||
|
||||
# Comment should be deleted
|
||||
self.assertFalse(VorgabeComment.objects.filter(id=self.comment.id).exists())
|
||||
|
||||
def test_user_cannot_delete_other_users_comment(self):
|
||||
"""Test that users cannot delete other users' comments"""
|
||||
self.client.login(username='otheruser', password='testpass123')
|
||||
|
||||
url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
|
||||
response = self.client.post(url)
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertIn('error', data)
|
||||
self.assertIn('Berechtigung', data['error'])
|
||||
|
||||
# Comment should still exist
|
||||
self.assertTrue(VorgabeComment.objects.filter(id=self.comment.id).exists())
|
||||
|
||||
def test_staff_can_delete_any_comment(self):
|
||||
"""Test that staff users can delete any comment"""
|
||||
self.client.login(username='staffuser', password='testpass123')
|
||||
|
||||
url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
|
||||
response = self.client.post(url)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
import json
|
||||
data = json.loads(response.content)
|
||||
|
||||
self.assertTrue(data['success'])
|
||||
|
||||
# Comment should be deleted
|
||||
self.assertFalse(VorgabeComment.objects.filter(id=self.comment.id).exists())
|
||||
|
||||
def test_delete_nonexistent_comment_returns_404(self):
|
||||
"""Test that deleting non-existent comment returns 404"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('delete_vorgabe_comment', kwargs={'comment_id': 99999})
|
||||
response = self.client.post(url)
|
||||
|
||||
self.assertEqual(response.status_code, 404)
|
||||
|
||||
def test_delete_comment_security_headers(self):
|
||||
"""Test that security headers are present in response"""
|
||||
self.client.login(username='testuser', password='testpass123')
|
||||
|
||||
url = reverse('delete_vorgabe_comment', kwargs={'comment_id': self.comment.id})
|
||||
response = self.client.post(url)
|
||||
|
||||
self.assertIn('Content-Security-Policy', response)
|
||||
self.assertIn('X-Content-Type-Options', response)
|
||||
self.assertEqual(response['X-Content-Type-Options'], 'nosniff')
|
||||
|
||||
@@ -8,6 +8,9 @@ urlpatterns = [
|
||||
path('<str:nummer>/history/<str:check_date>/', views.standard_detail),
|
||||
path('<str:nummer>/history/', views.standard_detail, {"check_date":"today"}, name='standard_history'),
|
||||
path('<str:nummer>/checkliste/', views.standard_checkliste, name='standard_checkliste'),
|
||||
path('<str:nummer>/json/', views.standard_json, name='standard_json')
|
||||
path('<str:nummer>/json/', views.standard_json, name='standard_json'),
|
||||
path('comments/<int:vorgabe_id>/', views.get_vorgabe_comments, name='get_vorgabe_comments'),
|
||||
path('comments/<int:vorgabe_id>/add/', views.add_vorgabe_comment, name='add_vorgabe_comment'),
|
||||
path('comments/delete/<int:comment_id>/', views.delete_vorgabe_comment, name='delete_vorgabe_comment'),
|
||||
]
|
||||
|
||||
|
||||
@@ -2,8 +2,12 @@ from django.shortcuts import render, get_object_or_404
|
||||
from django.contrib.auth.decorators import login_required, user_passes_test
|
||||
from django.http import JsonResponse
|
||||
from django.core.serializers.json import DjangoJSONEncoder
|
||||
from django.views.decorators.http import require_POST
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
from django.utils.html import escape, mark_safe
|
||||
from django.utils.safestring import SafeString
|
||||
import json
|
||||
from .models import Dokument, Vorgabe, VorgabeKurztext, VorgabeLangtext, Checklistenfrage
|
||||
from .models import Dokument, Vorgabe, VorgabeKurztext, VorgabeLangtext, Checklistenfrage, VorgabeComment
|
||||
from abschnitte.utils import render_textabschnitte
|
||||
|
||||
from datetime import date
|
||||
@@ -44,6 +48,15 @@ def standard_detail(request, nummer,check_date=""):
|
||||
for r in vorgabe.referenzen.all():
|
||||
referenz_items.append(r.Path())
|
||||
vorgabe.referenzpfade = referenz_items
|
||||
|
||||
# Add comment count
|
||||
if request.user.is_authenticated:
|
||||
if request.user.is_staff:
|
||||
vorgabe.comment_count = vorgabe.comments.count()
|
||||
else:
|
||||
vorgabe.comment_count = vorgabe.comments.filter(user=request.user).count()
|
||||
else:
|
||||
vorgabe.comment_count = 0
|
||||
|
||||
return render(request, 'standards/standard_detail.html', {
|
||||
'standard': standard,
|
||||
@@ -237,3 +250,119 @@ def standard_json(request, nummer):
|
||||
|
||||
# Return JSON response
|
||||
return JsonResponse(doc_data, json_dumps_params={'indent': 2, 'ensure_ascii': False}, encoder=DjangoJSONEncoder)
|
||||
|
||||
|
||||
@login_required
|
||||
def get_vorgabe_comments(request, vorgabe_id):
|
||||
"""Get comments for a specific Vorgabe"""
|
||||
vorgabe = get_object_or_404(Vorgabe, id=vorgabe_id)
|
||||
|
||||
if request.user.is_staff:
|
||||
# Staff can see all comments
|
||||
comments = vorgabe.comments.all().select_related('user').order_by('created_at')
|
||||
else:
|
||||
# Regular users can only see their own comments
|
||||
comments = vorgabe.comments.filter(user=request.user).select_related('user').order_by('created_at')
|
||||
|
||||
comments_data = []
|
||||
for comment in comments:
|
||||
# Escape HTML but preserve line breaks
|
||||
escaped_text = escape(comment.text).replace('\n', '<br>')
|
||||
comments_data.append({
|
||||
'id': comment.id,
|
||||
'text': escaped_text,
|
||||
'user': escape(comment.user.first_name+" "+comment.user.last_name),
|
||||
'created_at': comment.created_at.strftime('%d.%m.%Y %H:%M'),
|
||||
'updated_at': comment.updated_at.strftime('%d.%m.%Y %H:%M'),
|
||||
'is_own': comment.user == request.user
|
||||
})
|
||||
|
||||
response = JsonResponse({'comments': comments_data})
|
||||
response['Content-Security-Policy'] = "default-src 'self'"
|
||||
response['X-Content-Type-Options'] = 'nosniff'
|
||||
return response
|
||||
|
||||
|
||||
@require_POST
|
||||
@login_required
|
||||
def add_vorgabe_comment(request, vorgabe_id):
|
||||
"""Add a new comment to a Vorgabe"""
|
||||
vorgabe = get_object_or_404(Vorgabe, id=vorgabe_id)
|
||||
|
||||
try:
|
||||
data = json.loads(request.body)
|
||||
text = data.get('text', '').strip()
|
||||
|
||||
# Validate input
|
||||
if not text:
|
||||
return JsonResponse({'error': 'Kommentar darf nicht leer sein'}, status=400)
|
||||
|
||||
if len(text) > 2000: # Reasonable length limit
|
||||
return JsonResponse({'error': 'Kommentar ist zu lang (max 2000 Zeichen)'}, status=400)
|
||||
|
||||
# Additional XSS prevention - check for dangerous patterns
|
||||
dangerous_patterns = ['<script', 'javascript:', 'onload=', 'onerror=', 'onclick=', 'onmouseover=']
|
||||
text_lower = text.lower()
|
||||
for pattern in dangerous_patterns:
|
||||
if pattern in text_lower:
|
||||
return JsonResponse({'error': 'Kommentar enthält ungültige Zeichen'}, status=400)
|
||||
|
||||
comment = VorgabeComment.objects.create(
|
||||
vorgabe=vorgabe,
|
||||
user=request.user,
|
||||
text=text
|
||||
)
|
||||
|
||||
# Escape HTML but preserve line breaks
|
||||
escaped_text = escape(comment.text).replace('\n', '<br>')
|
||||
response = JsonResponse({
|
||||
'success': True,
|
||||
'comment': {
|
||||
'id': comment.id,
|
||||
'text': escaped_text,
|
||||
'user': escape(comment.user.username),
|
||||
'created_at': comment.created_at.strftime('%d.%m.%Y %H:%M'),
|
||||
'updated_at': comment.updated_at.strftime('%d.%m.%Y %H:%M'),
|
||||
'is_own': True
|
||||
}
|
||||
})
|
||||
response['Content-Security-Policy'] = "default-src 'self'"
|
||||
response['X-Content-Type-Options'] = 'nosniff'
|
||||
return response
|
||||
|
||||
except json.JSONDecodeError:
|
||||
response = JsonResponse({'error': 'Ungültige Daten'}, status=400)
|
||||
response['Content-Security-Policy'] = "default-src 'self'"
|
||||
response['X-Content-Type-Options'] = 'nosniff'
|
||||
return response
|
||||
except Exception as e:
|
||||
response = JsonResponse({'error': 'Serverfehler'}, status=500)
|
||||
response['Content-Security-Policy'] = "default-src 'self'"
|
||||
response['X-Content-Type-Options'] = 'nosniff'
|
||||
return response
|
||||
|
||||
|
||||
@require_POST
|
||||
@login_required
|
||||
def delete_vorgabe_comment(request, comment_id):
|
||||
"""Delete a comment (only own comments or staff can delete)"""
|
||||
comment = get_object_or_404(VorgabeComment, id=comment_id)
|
||||
|
||||
# Check if user can delete this comment
|
||||
if comment.user != request.user and not request.user.is_staff:
|
||||
response = JsonResponse({'error': 'Keine Berechtigung zum Löschen dieses Kommentars'}, status=403)
|
||||
response['Content-Security-Policy'] = "default-src 'self'"
|
||||
response['X-Content-Type-Options'] = 'nosniff'
|
||||
return response
|
||||
|
||||
try:
|
||||
comment.delete()
|
||||
response = JsonResponse({'success': True})
|
||||
response['Content-Security-Policy'] = "default-src 'self'"
|
||||
response['X-Content-Type-Options'] = 'nosniff'
|
||||
return response
|
||||
except Exception as e:
|
||||
response = JsonResponse({'error': 'Serverfehler'}, status=500)
|
||||
response['Content-Security-Policy'] = "default-src 'self'"
|
||||
response['X-Content-Type-Options'] = 'nosniff'
|
||||
return response
|
||||
|
||||
@@ -215,7 +215,7 @@
|
||||
</p>
|
||||
</div>
|
||||
<div class="col-sm-6 text-right">
|
||||
<p class="text-muted">Version {{ version|default:"0.958" }}</p>
|
||||
<p class="text-muted">Version {{ version|default:"0.960" }}</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
# Generated by Django 5.2.5 on 2025-11-27 22:02
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('referenzen', '0002_alter_referenz_table_alter_referenzerklaerung_table'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='referenzerklaerung',
|
||||
options={'verbose_name': 'Erklärung', 'verbose_name_plural': 'Erklärungen'},
|
||||
),
|
||||
]
|
||||
@@ -11,4 +11,93 @@
|
||||
margin-bottom: 1em;
|
||||
border: 1px solid #ccc;
|
||||
padding: 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* Comment System Styles */
|
||||
.comment-btn {
|
||||
position: relative;
|
||||
}
|
||||
|
||||
.comment-btn .comment-count {
|
||||
position: absolute;
|
||||
top: -8px;
|
||||
right: -8px;
|
||||
background-color: #dc3545;
|
||||
color: white;
|
||||
border-radius: 50%;
|
||||
width: 20px;
|
||||
height: 20px;
|
||||
font-size: 11px;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: center;
|
||||
font-weight: bold;
|
||||
}
|
||||
|
||||
.comment-item {
|
||||
max-width: 100%;
|
||||
word-wrap: break-word;
|
||||
overflow-wrap: break-word;
|
||||
}
|
||||
|
||||
.comment-item .text-muted {
|
||||
font-size: 0.85em;
|
||||
}
|
||||
|
||||
#commentModal .modal-body {
|
||||
max-height: 60vh;
|
||||
overflow-y: auto;
|
||||
}
|
||||
|
||||
#commentsContainer {
|
||||
min-height: 100px;
|
||||
}
|
||||
|
||||
.delete-comment-btn {
|
||||
opacity: 0.7;
|
||||
transition: opacity 0.2s;
|
||||
}
|
||||
|
||||
.delete-comment-btn:hover {
|
||||
opacity: 1;
|
||||
}
|
||||
|
||||
.delete-comment-btn {
|
||||
font-size: 18px;
|
||||
font-weight: bold;
|
||||
line-height: 1;
|
||||
color: #721c24;
|
||||
border: 1px solid #f5c6cb;
|
||||
border-radius: 4px;
|
||||
width: 28px;
|
||||
height: 28px;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: center;
|
||||
padding: 0;
|
||||
}
|
||||
|
||||
.delete-comment-btn:hover {
|
||||
opacity: 1;
|
||||
background-color: #f8d7da;
|
||||
border-color: #f5c6cb;
|
||||
}
|
||||
|
||||
/* Icon styling for emoji replacements */
|
||||
.emoji-icon {
|
||||
font-size: 1.1em;
|
||||
margin-right: 0.3em;
|
||||
vertical-align: middle;
|
||||
}
|
||||
|
||||
/* Responsive adjustments */
|
||||
@media (max-width: 768px) {
|
||||
.comment-item .d-flex {
|
||||
flex-direction: column;
|
||||
}
|
||||
|
||||
.delete-comment-btn {
|
||||
margin-left: 0 !important;
|
||||
margin-top: 0.5rem;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# Generated by Django 5.2.5 on 2025-11-27 22:02
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('stichworte', '0002_stichworterklaerung_order'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='stichworterklaerung',
|
||||
options={'verbose_name': 'Erklärung', 'verbose_name_plural': 'Erklärungen'},
|
||||
),
|
||||
]
|
||||
Reference in New Issue
Block a user