Some selected club members can now make people subscribe and fix major security hole in board_member verification

2024-11-22 06:03:20 +00:00 · 2017-07-22 00:40:51 +02:00 · 2017-07-22 00:40:51 +02:00 · c56094eaaf
commit c56094eaaf
parent e80f5b6f0f
5 changed files with 26 additions and 7 deletions
--- a/club/models.py
+++ b/club/models.py
@ -139,10 +139,7 @@ class Club(models.Model):
        """
        Method to see if that object can be edited by the given user
        """
-        ms = self.get_membership_for(user)
-        if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE:
-            return True
-        return False
+        return self.has_rights_in_club(user)

    def can_be_viewed_by(self, user):
        """
@ -170,6 +167,10 @@ class Club(models.Model):
                Club._memberships[self.id][user.id] = m
            return m

+    def has_rights_in_club(self, user):
+        m = self.get_membership_for(user)
+        return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE
+

 class Membership(models.Model):
    """
--- a/core/models.py
+++ b/core/models.py
@ -300,7 +300,15 @@ class User(AbstractBaseUser):
    @cached_property
    def is_board_member(self):
        from club.models import Club
-        return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self)
+        return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self)
+
+    @cached_property
+    def can_create_subscription(self):
+        from club.models import Club
+        for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all():
+            if club.has_rights_in_club(self):
+                return True
+        return False

    @cached_property
    def is_launderette_manager(self):
@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser):
    def __init__(self, request):
        super(AnonymousUser, self).__init__()

+    @property
+    def can_create_subscription(self):
+        return False
+
    @property
    def was_subscribed(self):
        return False
--- a/core/templates/core/user_tools.jinja
+++ b/core/templates/core/user_tools.jinja
@ -14,8 +14,10 @@
    <li><a href="{{ url('core:group_list') }}">{% trans %}Groups{% endtrans %}</a></li>
    <li><a href="{{ url('rootplace:merge') }}">{% trans %}Merge users{% endtrans %}</a></li>
    {% endif %}
-    {% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %}
+    {% if user.can_create_subscription or user.is_root %}
    <li><a href="{{ url('subscription:subscription') }}">{% trans %}Subscriptions{% endtrans %}</a></li>
+    {% endif %}
+    {% if user.is_board_member or user.is_root %}
    <li><a href="{{ url('subscription:stats') }}">{% trans %}Subscription stats{% endtrans %}</a></li>
    <li><a href="{{ url('club:club_new') }}">{% trans %}New club{% endtrans %}</a></li>
    {% endif %}
--- a/sith/settings.py
+++ b/sith/settings.py
@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1
 SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2
 SITH_PRODUCTTYPE_SUBSCRIPTION = 2

+SITH_CAN_CREATE_SUBSCRIPTIONS = [
+    1,
+]
+
 # Subscription durations are in semestres
 # Be careful, modifying this parameter will need a migration to be applied
 SITH_SUBSCRIPTIONS = {
--- a/subscription/views.py
+++ b/subscription/views.py
@ -106,7 +106,7 @@ class NewSubscription(CreateView):

    def dispatch(self, request, *arg, **kwargs):
        res = super(NewSubscription, self).dispatch(request, *arg, **kwargs)
-        if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP):
+        if request.user.can_create_subscription:
            return res
        raise PermissionDenied