fix vulnerability in clientside

abonapp/models.py

@@ -271,7 +271,7 @@ class Abon(BaseAccount):
             # make log about it
             AbonLog.objects.create(
                 abon=self, amount=-tariff.amount,
-                author=author,
+                author=author if isinstance(author, UserProfile) else None,
                 comment=comment or _('Buy service default log')
             )
 

clientsideapp/views.py

@@ -38,7 +38,7 @@ def services(request):
         abon = request.user
         all_tarifs = Tariff.objects.get_tariffs_by_group(
             abon.group.pk
-        ).filter(is_admin=False)
+        )# .filter(is_admin=False)
         current_service = abon.active_tariff()
     except Abon.DoesNotExist:
         all_tarifs = None
@@ -57,8 +57,8 @@ def buy_service(request, srv_id):
         current_service = abon.active_tariff()
         if request.method == 'POST':
             abon.pick_tariff(
-                service, None,
-                _("Buy the service via user side, service '%s'") % service
+                tariff=service, author=abon,
+                comment=_("Buy the service via user side, service '%s'") % service
             )
             customer_nas_command.delay(abon.pk, 'sync')
             messages.success(

djing/lib/auth_backends.py

@@ -36,7 +36,7 @@ class CustomAuthBackend(ModelBackend):
 
 
 class LocationAuthBackend(ModelBackend):
-    def authenticate(self, request, byip, **kwargs):
+    def authenticate(self, request, **kwargs):
         try:
             remote_ip = ip_address(request.META.get('REMOTE_ADDR'))
             user = Abon.objects.filter(