fix: update HTTP method requirements for borrar_producto and eliminar_direccion views to require POST only

This commit is contained in:
2026-05-26 12:01:15 +02:00
parent 848a49c92d
commit 4877e859bd
4 changed files with 34 additions and 11 deletions
+10
View File
@@ -7,3 +7,13 @@ venv
db.sqlite3 db.sqlite3
static static
media media
docs
logs
staticfiles
.gitignore
AGENTS.md
Dockerfile
Makefile
nginx.conf
Procfile
uv.lock
+18 -2
View File
@@ -6,16 +6,32 @@ WORKDIR /app
COPY pyproject.toml uv.lock /app/ COPY pyproject.toml uv.lock /app/
RUN apk --no-cache update && apk --no-cache upgrade \ RUN apk --no-cache update \
&& apk --no-cache upgrade \
&& apk --no-cache add \
build-base \
freetype-dev \
jpeg-dev \
zlib-dev \
&& pip install --no-cache-dir uv \ && pip install --no-cache-dir uv \
&& uv sync --no-dev --no-install-project # Install only dependencies, not the local project package && uv sync --no-dev --no-install-project # Install only dependencies, not the local project package
COPY . /app/ COPY ./entrypoint.sh /app/entrypoint.sh
RUN chmod +x /app/entrypoint.sh RUN chmod +x /app/entrypoint.sh
COPY ./proyecto /app/proyecto
COPY ./tienda /app/tienda
COPY ./manage.py /app/manage.py
EXPOSE 8000 EXPOSE 8000
RUN mkdir -pv /fonts RUN mkdir -pv /fonts
COPY tienda/static/fonts/ /fonts/ COPY tienda/static/fonts/ /fonts/
RUN addgroup -S app \
&& adduser -S app -G app \
&& chown -R app:app /app /fonts
USER app
ENTRYPOINT ["/bin/sh", "/app/entrypoint.sh"] ENTRYPOINT ["/bin/sh", "/app/entrypoint.sh"]
+2 -2
View File
@@ -1786,7 +1786,7 @@ class EndpointViewTests(TestCase):
self.assertTrue(OrderMessage.objects.filter(order_item=item, sender=self.seller).exists()) self.assertTrue(OrderMessage.objects.filter(order_item=item, sender=self.seller).exists())
delete_get = self.client.get(reverse("borrar_producto", args=[created.id])) delete_get = self.client.get(reverse("borrar_producto", args=[created.id]))
self.assertEqual(delete_get.status_code, 302) self.assertEqual(delete_get.status_code, 405)
delete_post = self.client.post(reverse("borrar_producto", args=[created.id])) delete_post = self.client.post(reverse("borrar_producto", args=[created.id]))
self.assertEqual(delete_post.status_code, 302) self.assertEqual(delete_post.status_code, 302)
self.assertFalse(Product.objects.filter(id=created.id).exists()) self.assertFalse(Product.objects.filter(id=created.id).exists())
@@ -2068,7 +2068,7 @@ class EndpointViewTests(TestCase):
self.assertEqual(new_address.full_name, "Comprador Dos Editado") self.assertEqual(new_address.full_name, "Comprador Dos Editado")
delete_get = self.client.get(reverse("eliminar_direccion", args=[new_address.id])) delete_get = self.client.get(reverse("eliminar_direccion", args=[new_address.id]))
self.assertEqual(delete_get.status_code, 302) self.assertEqual(delete_get.status_code, 405)
delete_post = self.client.post(reverse("eliminar_direccion", args=[new_address.id])) delete_post = self.client.post(reverse("eliminar_direccion", args=[new_address.id]))
self.assertEqual(delete_post.status_code, 302) self.assertEqual(delete_post.status_code, 302)
self.assertFalse(ShippingAddress.objects.filter(id=new_address.id).exists()) self.assertFalse(ShippingAddress.objects.filter(id=new_address.id).exists())
+2 -5
View File
@@ -1030,7 +1030,7 @@ def editar_producto(request: HttpRequest, id: int):
}) })
@login_required @login_required
@require_http_methods(["GET", "POST"]) @require_POST
def borrar_producto(request: HttpRequest, id: int): def borrar_producto(request: HttpRequest, id: int):
"""Borra un producto del usuario autenticado""" """Borra un producto del usuario autenticado"""
@@ -2191,12 +2191,9 @@ def editar_direccion(request: HttpRequest, id: int):
@login_required @login_required
@require_http_methods(["GET", "POST"]) @require_POST
def eliminar_direccion(request: HttpRequest, id: int): def eliminar_direccion(request: HttpRequest, id: int):
"""Elimina una dirección de entrega""" """Elimina una dirección de entrega"""
if request.method != "POST":
messages.error(request, "Acción no permitida.")
return redirect("direcciones_usuario")
direccion = get_object_or_404(ShippingAddress, id=id, user=request.user) direccion = get_object_or_404(ShippingAddress, id=id, user=request.user)
direccion.delete() direccion.delete()