Merge pull request #264 from AlexejStukov/patch-10

Security fix - every field of a model is send - even password
2025-04-20 08:42:18 +03:00 · 2016-07-22 21:32:32 -04:00 · 2016-07-22 21:32:32 -04:00 · 8c6050fbba
commit 8c6050fbba
parent 9f6ea22eff 4625266db6
1 changed files with 10 additions and 1 deletions
--- a/channels/binding/websockets.py
+++ b/channels/binding/websockets.py
@ -31,6 +31,11 @@ class WebsocketBinding(Binding):

    stream = None

+    # only model fields that are listed in fields should be send by default
+    # if you want to really send all fields, use fields = ['__all__']
+
+    fields = []
+
    # Outbound
    @classmethod
    def encode(cls, stream, payload):
@ -49,7 +54,11 @@ class WebsocketBinding(Binding):
        """
        Serializes model data into JSON-compatible types.
        """
-        data = serializers.serialize('json', [instance])
+        if self.fields == ['__all__']:
+            self.fields = None
+        elif not self.fields:
+            raise ValueError("You must set the fields attribute on Binding %r!" % self.__class__)
+        data = serializers.serialize('json', [instance], fields=self.fields)
        return json.loads(data)[0]['fields']

    # Inbound