Security fix - every field of a model is send - even password

Atm WebsocketBinding sends every field of a model, even the password of a user. Users of the class should have to think about which fields they want to send to the user. Also added a more intuitive option for sending all fields.
2025-04-20 08:42:18 +03:00 · 2016-07-21 21:06:25 +02:00 · 2016-07-21 21:06:25 +02:00 · d07600f04b
commit d07600f04b
parent 4d580c2575
1 changed files with 8 additions and 1 deletions
--- a/channels/binding/websockets.py
+++ b/channels/binding/websockets.py
@ -30,6 +30,11 @@ class WebsocketBinding(Binding):
    # Stream multiplexing name

    stream = None
+    
+    # only model fields that are listed in fields should be send by default
+    # if you want to really send all fields, use fields = ['__all__']
+    
+    fields = []

    # Outbound
    @classmethod
@ -49,7 +54,9 @@ class WebsocketBinding(Binding):
        """
        Serializes model data into JSON-compatible types.
        """
-        data = serializers.serialize('json', [instance])
+        if self.fields == ['__all__']:
+            self.fields = None
+        data = serializers.serialize('json', [instance], fields=self.fields)
        return json.loads(data)[0]['fields']

    # Inbound