mirror of
https://github.com/django/daphne.git
synced 2025-07-10 16:02:18 +03:00
Merge pull request #264 from AlexejStukov/patch-10
Security fix - every field of a model is send - even password
This commit is contained in:
commit
8c6050fbba
|
@ -31,6 +31,11 @@ class WebsocketBinding(Binding):
|
||||||
|
|
||||||
stream = None
|
stream = None
|
||||||
|
|
||||||
|
# only model fields that are listed in fields should be send by default
|
||||||
|
# if you want to really send all fields, use fields = ['__all__']
|
||||||
|
|
||||||
|
fields = []
|
||||||
|
|
||||||
# Outbound
|
# Outbound
|
||||||
@classmethod
|
@classmethod
|
||||||
def encode(cls, stream, payload):
|
def encode(cls, stream, payload):
|
||||||
|
@ -49,7 +54,11 @@ class WebsocketBinding(Binding):
|
||||||
"""
|
"""
|
||||||
Serializes model data into JSON-compatible types.
|
Serializes model data into JSON-compatible types.
|
||||||
"""
|
"""
|
||||||
data = serializers.serialize('json', [instance])
|
if self.fields == ['__all__']:
|
||||||
|
self.fields = None
|
||||||
|
elif not self.fields:
|
||||||
|
raise ValueError("You must set the fields attribute on Binding %r!" % self.__class__)
|
||||||
|
data = serializers.serialize('json', [instance], fields=self.fields)
|
||||||
return json.loads(data)[0]['fields']
|
return json.loads(data)[0]['fields']
|
||||||
|
|
||||||
# Inbound
|
# Inbound
|
||||||
|
|
Loading…
Reference in New Issue
Block a user