fix pentest

周伟奇
Showing 3 changed files with 13 additions and 10 deletions
src/apps/account/views.py
src/apps/doc/views.py
src/common/redis_cache/handler.py
--- a/src/apps/account/views.py
View file @38e6d12
+++ b/src/apps/account/views.py
View file @38e6d12
@@ -26,8 +26,9 @@ class LoginView(ObtainJSONWebToken, GenericView):

    def post(self, request, *args, **kwargs):
        # 登录次数限制
+        remote_ip = request.META.get('HTTP_REMOTEIP', '')
        user_name = request.data.get('username', '')
-        times = rh.get_login_times(user_name)
+        times = rh.get_login_times(remote_ip)
        if isinstance(times, int) and times >= LOGIN_TIMES_LIMIT:
            raise self.invalid_params(msg="重试次数限制")

@@ -35,7 +36,7 @@ class LoginView(ObtainJSONWebToken, GenericView):
        self.running_log.info('[users.login] username: {0}'.format(user_name))

        if res.status_code == status.HTTP_400_BAD_REQUEST:
-            rh.set_login_times(user_name, LOGIN_TIMES_LIMIT_EXPIRES)
+            rh.set_login_times(remote_ip, LOGIN_TIMES_LIMIT_EXPIRES)
            raise self.invalid_params(msg="用户名或密码错误")
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid()
--- a/src/apps/doc/views.py
View file @38e6d12
+++ b/src/apps/doc/views.py
View file @38e6d12
@@ -1005,10 +1005,10 @@ class DocView(GenericView, DocHandler):


 class CompareResultView(GenericView):
-    permission_classes = []
-    authentication_classes = []
-    # permission_classes = [IsAuthenticated]
-    # authentication_classes = [OAuth2AuthenticationWithUser]
+    # permission_classes = []
+    # authentication_classes = []
+    permission_classes = [IsAuthenticated]
+    authentication_classes = [OAuth2AuthenticationWithUser]

    # 获取比对结果
    @use_args(compare_result_args, location='querystring')
@@ -1307,10 +1307,10 @@ class SEContractView(GenericView):


 class AutoSettlementView(GenericView):
-    permission_classes = []
-    authentication_classes = []
-    # permission_classes = [IsAuthenticated]
-    # authentication_classes = [OAuth2AuthenticationWithUser]
+    # permission_classes = []
+    # authentication_classes = []
+    permission_classes = [IsAuthenticated]
+    authentication_classes = [OAuth2AuthenticationWithUser]

    # 获取auto settlement列表
    @use_args(auto_list_args, location='querystring')
--- a/src/common/redis_cache/handler.py
View file @38e6d12
+++ b/src/common/redis_cache/handler.py
View file @38e6d12
@@ -78,6 +78,8 @@ class RedisHandler:
        return self.redis.get('{0}:{1}'.format(self.login_limit_key, user_name))

    def set_login_times(self, user_name, expires=None):
+        if user_name == '':
+            return
        key = '{0}:{1}'.format(self.login_limit_key, user_name)
        self.redis.incr(key)
        if isinstance(expires, int):