mirror of
https://github.com/ae-utbm/sith.git
synced 2024-12-22 15:51:19 +00:00
Some selected club members can now make people subscribe and fix major security hole in board_member verification
This commit is contained in:
parent
e80f5b6f0f
commit
c56094eaaf
@ -139,10 +139,7 @@ class Club(models.Model):
|
||||
"""
|
||||
Method to see if that object can be edited by the given user
|
||||
"""
|
||||
ms = self.get_membership_for(user)
|
||||
if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
|
||||
return True
|
||||
return False
|
||||
return self.has_rights_in_club(user)
|
||||
|
||||
def can_be_viewed_by(self, user):
|
||||
"""
|
||||
@ -170,6 +167,10 @@ class Club(models.Model):
|
||||
Club._memberships[self.id][user.id] = m
|
||||
return m
|
||||
|
||||
def has_rights_in_club(self, user):
|
||||
m = self.get_membership_for(user)
|
||||
return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
|
||||
|
||||
|
||||
class Membership(models.Model):
|
||||
"""
|
||||
|
@ -300,7 +300,15 @@ class User(AbstractBaseUser):
|
||||
@cached_property
|
||||
def is_board_member(self):
|
||||
from club.models import Club
|
||||
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self)
|
||||
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
|
||||
|
||||
@cached_property
|
||||
def can_create_subscription(self):
|
||||
from club.models import Club
|
||||
for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
|
||||
if club.has_rights_in_club(self):
|
||||
return True
|
||||
return False
|
||||
|
||||
@cached_property
|
||||
def is_launderette_manager(self):
|
||||
@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
|
||||
def __init__(self, request):
|
||||
super(AnonymousUser, self).__init__()
|
||||
|
||||
@property
|
||||
def can_create_subscription(self):
|
||||
return False
|
||||
|
||||
@property
|
||||
def was_subscribed(self):
|
||||
return False
|
||||
|
@ -14,8 +14,10 @@
|
||||
<li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
|
||||
<li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
|
||||
{% endif %}
|
||||
{% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %}
|
||||
{% if user.can_create_subscription or user.is_root %}
|
||||
<li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
|
||||
{% endif %}
|
||||
{% if user.is_board_member or user.is_root %}
|
||||
<li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
|
||||
<li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
|
||||
{% endif %}
|
||||
|
@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
|
||||
SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
|
||||
SITH_PRODUCTTYPE_SUBSCRIPTION = 2
|
||||
|
||||
SITH_CAN_CREATE_SUBSCRIPTIONS = [
|
||||
1,
|
||||
]
|
||||
|
||||
# Subscription durations are in semestres
|
||||
# Be careful, modifying this parameter will need a migration to be applied
|
||||
SITH_SUBSCRIPTIONS = {
|
||||
|
@ -106,7 +106,7 @@ class NewSubscription(CreateView):
|
||||
|
||||
def dispatch(self, request, *arg, **kwargs):
|
||||
res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
|
||||
if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP):
|
||||
if request.user.can_create_subscription:
|
||||
return res
|
||||
raise PermissionDenied
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user