bugfixes and more comments

1 files changed, 7 insertions, 2 deletions

diff --git a/core/views/uploads.py b/core/views/uploads.py
index 9ef11ac..c7b7e74 100644
--- a/core/views/uploads.py
+++ b/core/views/uploads.py
@@ -157,6 +157,7 @@ class LogbookEditForm(forms.Form):  # not a model-form, just a form-form
 @login_required_if_public
 def edittxtpage(request, path, filepath):
     """Editing a .txt file on expoweb/
+    Yes this is a security hazard as arbitrary text can be uploaded and it is not enclosed in any HTML furniture.
     """
     def simple_get(viewtext):
         form = ExpotextfileForm()
@@ -175,9 +176,10 @@ def edittxtpage(request, path, filepath):
     message=""
     
     if not filepath.is_file():
+        message = f"File not found '{filepath}\n\nfailure detected in expowebpage() in views.expo.py"
         print(f"Not a file: {filepath}")
-        errpage = f"<html>" +  default_head + f"<h3>File not found '{filepath}'<br><br>failure detected in expowebpage() in views.expo.py</h3> </body>"
-        return HttpResponse(errpage)        
+        return render(request, "errors/generic.html", {"message": message})
+      
     try:     
         with open(filepath, "r") as f:
             originaltext = f.read()
@@ -207,6 +209,9 @@ def edittxtpage(request, path, filepath):
         if "Save" in request.POST:
             print("submitted for saving..")
             
+            # should insert sanitization in here
+            # but user cannot rename the file, and cannot create new files
+            # and this is only used for .txt files
             if newtext != originaltext:  # Check if content has changed at all
                 print("text changed.. saving and committing")
                 try: