klmp200
/
Sith
mirror of https://github.com/ae-utbm/sith3.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Some selected club members can now make people subscribe and fix major security hole in board_member verification

This commit is contained in:
Antoine Bartuccio 2017-07-22 00:40:51 +02:00
parent e80f5b6f0f
commit c56094eaaf
5 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
club/models.py
View File

@ -139,10 +139,7 @@ class Club(models.Model):
"""
Method to see if that object can be edited by the given user
"""
ms = self.get_membership_for(user)
if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
return True
return False
return self.has_rights_in_club(user)
def can_be_viewed_by(self, user):
"""
@ -170,6 +167,10 @@ class Club(models.Model):
Club._memberships[self.id][user.id] = m
return m
def has_rights_in_club(self, user):
m = self.get_membership_for(user)
return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
class Membership(models.Model):
"""

14
core/models.py
View File

@ -300,7 +300,15 @@ class User(AbstractBaseUser):
@cached_property
def is_board_member(self):
from club.models import Club
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self)
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
@cached_property
def can_create_subscription(self):
from club.models import Club
for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
if club.has_rights_in_club(self):
return True
return False
@cached_property
def is_launderette_manager(self):
@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
def __init__(self, request):
super(AnonymousUser, self).__init__()
@property
def can_create_subscription(self):
return False
@property
def was_subscribed(self):
return False

4
core/templates/core/user_tools.jinja
View File

@ -14,8 +14,10 @@
<li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
<li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
{% endif %}
{% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %}
{% if user.can_create_subscription or user.is_root %}
<li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
{% endif %}
{% if user.is_board_member or user.is_root %}
<li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
<li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
{% endif %}

4
sith/settings.py
View File

@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
SITH_PRODUCTTYPE_SUBSCRIPTION = 2
SITH_CAN_CREATE_SUBSCRIPTIONS = [
1,
]
# Subscription durations are in semestres
# Be careful, modifying this parameter will need a migration to be applied
SITH_SUBSCRIPTIONS = {

2
subscription/views.py
View File

@ -106,7 +106,7 @@ class NewSubscription(CreateView):
def dispatch(self, request, *arg, **kwargs):
res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP):
if request.user.can_create_subscription:
return res
raise PermissionDenied