fixed some securty vunerabilities

pavleerg · pavleerg · commit a66c9fa14649 · 2026-03-26T00:40:23.000+01:00
diff --git a/bruc/views.py b/bruc/views.py
@@ -35,11 +35,15 @@
 from django.contrib.auth.models import User
 from rest_framework_simplejwt.tokens import RefreshToken
 from rest_framework.permissions import IsAuthenticated, AllowAny, BasePermission, IsAuthenticatedOrReadOnly
+from rest_framework.throttling import AnonRateThrottle
 from django.contrib.auth.models import User as DjangoUser
 
 from datetime import datetime, time
 from django.utils.timezone import make_aware
 
+class SponsorGuestThrottle(AnonRateThrottle):
+    rate = '30/hour'
+
 class MailerViewSet(viewsets.ModelViewSet):
     queryset = Mailer.objects.all()
     serializer_class = MailerSerializer
@@ -238,7 +242,7 @@ class SponsorsViewSet(viewsets.ModelViewSet):
     serializer_class = SponsorsSerializer
     filter_backends = [DynamicSearchFilter, filters.OrderingFilter]
     ordering_fields = ['order']
-    permission_classes = [AllowAny]
+    permission_classes = [IsAuthenticated]
 
     @action(detail=False, methods=['get'], permission_classes=[AllowAny], url_path='public')
     def public(self, request):
@@ -261,6 +265,7 @@ def public(self, request):
         detail=False,
         methods=['get', 'post', 'delete'],
         permission_classes=[AllowAny],
+        throttle_classes=[SponsorGuestThrottle],
         url_path='public/guests'
     )
     def public_guests(self, request):
@@ -300,7 +305,7 @@ def public_guests(self, request):
             if not sponsor:
                 return Response({"detail": "Sponsor not found"}, status=404)
 
-            guest = Guests.objects.filter(id=guest_id, tag__icontains=sponsor.slug).first()
+            guest = Guests.objects.filter(id=guest_id, tag__istartswith=sponsor.slug).first()
             if not guest:
                 return Response({"detail": "Guest not found"}, status=404)
 
@@ -460,7 +465,7 @@ def has_permission(self, request, view):
 class BrucosiFormResponseViewSet(viewsets.ModelViewSet):
     queryset = BrucosiFormResponse.objects.all()
     serializer_class = BrucosiFormResponseSerializer
-    permission_classes = [AllowAny]
+    permission_classes = [AllowPostAnyOtherwiseAuthenticated]
 
     @action(detail=False, methods=['post'], url_path='brucosi-form-submit')
     def brucosi_form_submit(self, request):
diff --git a/brucifer/settings.py b/brucifer/settings.py
@@ -28,9 +28,10 @@
 SECRET_KEY = os.getenv("DJANGO_SECRET_KEY")
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = os.getenv("DJANGO_DEBUG", "False") == "True"
 
-ALLOWED_HOSTS = ['*']
+_allowed = os.getenv("DJANGO_ALLOWED_HOSTS", "localhost,127.0.0.1")
+ALLOWED_HOSTS = [h.strip() for h in _allowed.split(",") if h.strip()]
 
 # Application definition
 
