Add option to disable changing config from client (#295)

* Add option to disable changing of configuration

Introduces a test to ensure the correct response code is found when
attempting to update the config when disabled, and ensure default config
is unchanged when posting a new config dict.

Attempting to update the config using the API when disabled now returns
a 403 code + redirect.

Co-authored-by: Ben Busby <benbusby@protonmail.com>
main
Angel Mario 2021-04-27 17:36:03 +03:00 committed by GitHub
parent 8ae7b5947e
commit d6d7110e22
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 133 additions and 107 deletions

View File

@ -80,6 +80,11 @@
"value": "", "value": "",
"required": false "required": false
}, },
"WHOOGLE_CONFIG_DISABLE": {
"description": "[CONFIG] Disable ability for client to change config (set to 1 or leave blank)",
"value": "",
"required": false
},
"WHOOGLE_CONFIG_DARK": { "WHOOGLE_CONFIG_DARK": {
"description": "[CONFIG] Enable dark mode (set to 1 or leave blank)", "description": "[CONFIG] Enable dark mode (set to 1 or leave blank)",
"value": "", "value": "",

View File

@ -39,6 +39,7 @@ app.config['CONFIG_PATH'] = os.getenv(
app.config['DEFAULT_CONFIG'] = os.path.join( app.config['DEFAULT_CONFIG'] = os.path.join(
app.config['CONFIG_PATH'], app.config['CONFIG_PATH'],
'config.json') 'config.json')
app.config['CONFIG_DISABLE'] = os.getenv('WHOOGLE_CONFIG_DISABLE', '')
app.config['SESSION_FILE_DIR'] = os.path.join( app.config['SESSION_FILE_DIR'] = os.path.join(
app.config['CONFIG_PATH'], app.config['CONFIG_PATH'],
'session') 'session')

View File

@ -129,6 +129,7 @@ def index():
logo=render_template( logo=render_template(
'logo.html', 'logo.html',
dark=g.user_config.dark), dark=g.user_config.dark),
config_disabled=app.config['CONFIG_DISABLE'],
config=g.user_config, config=g.user_config,
tor_available=int(os.environ.get('TOR_AVAILABLE')), tor_available=int(os.environ.get('TOR_AVAILABLE')),
version_number=app.config['VERSION_NUMBER']) version_number=app.config['VERSION_NUMBER'])
@ -237,9 +238,10 @@ def search():
@app.route('/config', methods=['GET', 'POST', 'PUT']) @app.route('/config', methods=['GET', 'POST', 'PUT'])
@auth_required @auth_required
def config(): def config():
config_disabled = app.config['CONFIG_DISABLE']
if request.method == 'GET': if request.method == 'GET':
return json.dumps(g.user_config.__dict__) return json.dumps(g.user_config.__dict__)
elif request.method == 'PUT': elif request.method == 'PUT' and not config_disabled:
if 'name' in request.args: if 'name' in request.args:
config_pkl = os.path.join( config_pkl = os.path.join(
app.config['CONFIG_PATH'], app.config['CONFIG_PATH'],
@ -250,7 +252,7 @@ def config():
return json.dumps(session['config']) return json.dumps(session['config'])
else: else:
return json.dumps({}) return json.dumps({})
else: elif not config_disabled:
config_data = request.form.to_dict() config_data = request.form.to_dict()
if 'url' not in config_data or not config_data['url']: if 'url' not in config_data or not config_data['url']:
config_data['url'] = g.user_config.url config_data['url'] = g.user_config.url
@ -270,6 +272,8 @@ def config():
session['config'] = config_data session['config'] = config_data
return redirect(config_data['url']) return redirect(config_data['url'])
else:
return redirect(url_for('.index'), code=403)
@app.route('/url', methods=['GET']) @app.route('/url', methods=['GET'])

View File

@ -56,6 +56,7 @@
<input type="submit" id="search-submit" value="Search"> <input type="submit" id="search-submit" value="Search">
</div> </div>
</form> </form>
{% if not config_disabled %}
<br/> <br/>
<button id="config-collapsible" class="collapsible">Configuration</button> <button id="config-collapsible" class="collapsible">Configuration</button>
<div class="content"> <div class="content">
@ -160,6 +161,7 @@
</form> </form>
</div> </div>
</div> </div>
{% endif %}
</div> </div>
<footer> <footer>
<p style="color: {{ 'var(--whoogle-dark-text)' if config.dark else 'var(--whoogle-text)' }};"> <p style="color: {{ 'var(--whoogle-dark-text)' if config.dark else 'var(--whoogle-text)' }};">

View File

@ -1,3 +1,5 @@
from app import app
import json import json
from test.conftest import demo_config from test.conftest import demo_config
@ -52,6 +54,17 @@ def test_config(client):
assert rv._status_code == 200 assert rv._status_code == 200
assert custom_config.replace('&', '&amp;') in str(rv.data) assert custom_config.replace('&', '&amp;') in str(rv.data)
# Test disabling changing config from client
app.config['CONFIG_DISABLE'] = 1
dark_mod = not demo_config['dark']
demo_config['dark'] = dark_mod
rv = client.post('/config', data=demo_config)
assert rv._status_code == 403
rv = client.get('/config')
config = json.loads(rv.data)
assert config['dark'] != dark_mod
def test_opensearch(client): def test_opensearch(client):
rv = client.get('/opensearch.xml') rv = client.get('/opensearch.xml')

View File

@ -16,6 +16,7 @@
#WHOOGLE_CONFIG_COUNTRY=countryUK # See app/static/settings/countries.json for values #WHOOGLE_CONFIG_COUNTRY=countryUK # See app/static/settings/countries.json for values
#WHOOGLE_CONFIG_LANGUAGE=lang_en # See app/static/settings/languages.json for values #WHOOGLE_CONFIG_LANGUAGE=lang_en # See app/static/settings/languages.json for values
#WHOOGLE_CONFIG_SEARCH_LANGUAGE=lang_en # See app/static/settings/languages.json for values #WHOOGLE_CONFIG_SEARCH_LANGUAGE=lang_en # See app/static/settings/languages.json for values
#WHOOGLE_CONFIG_DISABLE=1 # Disables changing of config from client
#WHOOGLE_CONFIG_DARK=1 # Dark mode #WHOOGLE_CONFIG_DARK=1 # Dark mode
#WHOOGLE_CONFIG_SAFE=1 # Safe searches #WHOOGLE_CONFIG_SAFE=1 # Safe searches
#WHOOGLE_CONFIG_ALTS=1 # Use social media site alternatives #WHOOGLE_CONFIG_ALTS=1 # Use social media site alternatives