klmp200/Sith
1
0
Fork 0
mirror of https://github.com/ae-utbm/sith.git synced 2024-11-22 06:03:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Some selected club members can now make people subscribe and fix major security hole in board_member verification

Browse Source
This commit is contained in:
Antoine Bartuccio 2017-07-22 00:40:51 +02:00
parent e80f5b6f0f
commit c56094eaaf
5 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
club/models.py
View File

@ -139,10 +139,7 @@ class Club(models.Model):
""" """
Method to see if that object can be edited by the given user Method to see if that object can be edited by the given user
""" """
ms = self.get_membership_for(user) return self.has_rights_in_club(user)
if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
return True
return False
def can_be_viewed_by(self, user): def can_be_viewed_by(self, user):
""" """
@ -170,6 +167,10 @@ class Club(models.Model):
Club._memberships[self.id][user.id] = m Club._memberships[self.id][user.id] = m
return m return m
def has_rights_in_club(self, user):
m = self.get_membership_for(user)
return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
class Membership(models.Model): class Membership(models.Model):
""" """

14
core/models.py
View File

@ -300,7 +300,15 @@ class User(AbstractBaseUser):
@cached_property @cached_property
def is_board_member(self): def is_board_member(self):
from club.models import Club from club.models import Club
return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self) return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
@cached_property
def can_create_subscription(self):
from club.models import Club
for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
if club.has_rights_in_club(self):
return True
return False
@cached_property @cached_property
def is_launderette_manager(self): def is_launderette_manager(self):
@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
def __init__(self, request): def __init__(self, request):
super(AnonymousUser, self).__init__() super(AnonymousUser, self).__init__()
@property
def can_create_subscription(self):
return False
@property @property
def was_subscribed(self): def was_subscribed(self):
return False return False

4
core/templates/core/user_tools.jinja
View File

@ -14,8 +14,10 @@
<li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li> <li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
<li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li> <li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
{% endif %} {% endif %}
{% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %} {% if user.can_create_subscription or user.is_root %}
<li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li> <li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
{% endif %}
{% if user.is_board_member or user.is_root %}
<li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li> <li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
<li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li> <li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
{% endif %} {% endif %}

4
sith/settings.py
View File

@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2 SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
SITH_PRODUCTTYPE_SUBSCRIPTION = 2 SITH_PRODUCTTYPE_SUBSCRIPTION = 2
SITH_CAN_CREATE_SUBSCRIPTIONS = [
1,
]
# Subscription durations are in semestres # Subscription durations are in semestres
# Be careful, modifying this parameter will need a migration to be applied # Be careful, modifying this parameter will need a migration to be applied
SITH_SUBSCRIPTIONS = { SITH_SUBSCRIPTIONS = {

2
subscription/views.py
View File

@ -106,7 +106,7 @@ class NewSubscription(CreateView):
def dispatch(self, request, *arg, **kwargs): def dispatch(self, request, *arg, **kwargs):
res = super(NewSubscription, self).dispatch(request, *arg, **kwargs) res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP): if request.user.can_create_subscription:
return res return res
raise PermissionDenied raise PermissionDenied