Merge #3138

3138: Update dependencies and re-enable flask toolbar r=nextgens a=ghostwheel42 ## What type of PR? bug-fix ## What does this PR do? Update python dependencies to versions without known security vulnerabilities. Also re-enable flask debug toolbar which was disabled earlier. werkzeug < 2.3.8: CVE-2023-46136 aiohttp < 3.9.0: CVE-2023-49081 CVE-2023-49082 cryptography >= 3.1 < 41.0.6: CVE-2023-49083 jinja2 < 3.1.3: CVE-2024-22195 Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2025-11-02 11:07:52 +00:00 · 2024-02-29 17:45:16 +00:00
parent d752e96805 a1e395c581
commit 1612b11e62
6 changed files with 65 additions and 63 deletions
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@@ -14,6 +14,7 @@ import passlib.context
 import passlib.hash
 import passlib.registry
 import time
+import logging
 import os
 import smtplib
 import idna
@@ -30,6 +31,10 @@ from werkzeug.utils import cached_property
 from mailu import dkim, utils


+# silence AttributeError: module 'bcrypt' has no attribute '__about__'
+logging.getLogger('passlib').setLevel(logging.ERROR)
+
+
 db = flask_sqlalchemy.SQLAlchemy()


@@ -159,13 +164,6 @@ class Base(db.Model):
        flag_modified(self, 'updated_at')


-# Many-to-many association table for domain managers
-managers = db.Table('manager', Base.metadata,
-    db.Column('domain_name', IdnaDomain, db.ForeignKey('domain.name')),
-    db.Column('user_email', IdnaEmail, db.ForeignKey('user.email'))
-)
-
-
 class Config(Base):
    """ In-database configuration values
    """
@@ -180,6 +178,10 @@ def _save_dkim_keys(session):
        if isinstance(obj, Domain):
            obj.save_dkim_key()

+def _get_managers():
+    return managers
+
+
 class Domain(Base):
    """ A DNS domain that has mail addresses associated to it.
    """
@@ -187,7 +189,7 @@ class Domain(Base):
    __tablename__ = 'domain'

    name = db.Column(IdnaDomain, primary_key=True, nullable=False)
-    managers = db.relationship('User', secondary=managers,
+    managers = db.relationship('User', secondary=_get_managers,
        backref=db.backref('manager_of'), lazy='dynamic')
    max_users = db.Column(db.Integer, nullable=False, default=-1)
    max_aliases = db.Column(db.Integer, nullable=False, default=-1)
@@ -790,6 +792,13 @@ class Fetch(Base):
        )


+# Many-to-many association table for domain managers
+managers = db.Table('manager', Base.metadata,
+    db.Column('domain_name', IdnaDomain, db.ForeignKey(Domain.name)),
+    db.Column('user_email', IdnaEmail, db.ForeignKey(User.email))
+)
+
+
 class MailuConfig:
    """ Class which joins whole Mailu config for dumping
        and loading