From c56094eaaff759d12f5d8dd721da47113efbe7d1 Mon Sep 17 00:00:00 2001 From: klmp200 Date: Sat, 22 Jul 2017 00:40:51 +0200 Subject: [PATCH] Some selected club members can now make people subscribe and fix major security hole in board_member verification --- club/models.py | 9 +++++---- core/models.py | 14 +++++++++++++- core/templates/core/user_tools.jinja | 4 +++- sith/settings.py | 4 ++++ subscription/views.py | 2 +- 5 files changed, 26 insertions(+), 7 deletions(-) diff --git a/club/models.py b/club/models.py index 242250f5..cbec4872 100644 --- a/club/models.py +++ b/club/models.py @@ -139,10 +139,7 @@ class Club(models.Model): """ Method to see if that object can be edited by the given user """ - ms = self.get_membership_for(user) - if ms is not None and ms.role > settings.SITH_MAXIMUM_FREE_ROLE: - return True - return False + return self.has_rights_in_club(user) def can_be_viewed_by(self, user): """ @@ -170,6 +167,10 @@ class Club(models.Model): Club._memberships[self.id][user.id] = m return m + def has_rights_in_club(self, user): + m = self.get_membership_for(user) + return m is not None and m.role > settings.SITH_MAXIMUM_FREE_ROLE + class Membership(models.Model): """ diff --git a/core/models.py b/core/models.py index a0791c1b..00c5f684 100644 --- a/core/models.py +++ b/core/models.py @@ -300,7 +300,15 @@ class User(AbstractBaseUser): @cached_property def is_board_member(self): from club.models import Club - return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().get_membership_for(self) + return Club.objects.filter(unix_name=settings.SITH_MAIN_CLUB['unix_name']).first().has_rights_in_club(self) + + @cached_property + def can_create_subscription(self): + from club.models import Club + for club in Club.objects.filter(id__in=settings.SITH_CAN_CREATE_SUBSCRIPTIONS).all(): + if club.has_rights_in_club(self): + return True + return False @cached_property def is_launderette_manager(self): @@ -504,6 +512,10 @@ class AnonymousUser(AuthAnonymousUser): def __init__(self, request): super(AnonymousUser, self).__init__() + @property + def can_create_subscription(self): + return False + @property def was_subscribed(self): return False diff --git a/core/templates/core/user_tools.jinja b/core/templates/core/user_tools.jinja index 1074e64e..4033f702 100644 --- a/core/templates/core/user_tools.jinja +++ b/core/templates/core/user_tools.jinja @@ -14,8 +14,10 @@
  • {% trans %}Groups{% endtrans %}
  • {% trans %}Merge users{% endtrans %}
    • {% endif %} - {% if user.is_in_group(settings.SITH_MAIN_BOARD_GROUP) or user.is_root %} + {% if user.can_create_subscription or user.is_root %}
  • {% trans %}Subscriptions{% endtrans %}
    • + {% endif %} + {% if user.is_board_member or user.is_root %}
  • {% trans %}Subscription stats{% endtrans %}
  • {% trans %}New club{% endtrans %}
    • {% endif %} diff --git a/sith/settings.py b/sith/settings.py index e3fe254d..9d1d16a3 100644 --- a/sith/settings.py +++ b/sith/settings.py @@ -408,6 +408,10 @@ SITH_PRODUCT_SUBSCRIPTION_ONE_SEMESTER = 1 SITH_PRODUCT_SUBSCRIPTION_TWO_SEMESTERS = 2 SITH_PRODUCTTYPE_SUBSCRIPTION = 2 +SITH_CAN_CREATE_SUBSCRIPTIONS = [ + 1, +] + # Subscription durations are in semestres # Be careful, modifying this parameter will need a migration to be applied SITH_SUBSCRIPTIONS = { diff --git a/subscription/views.py b/subscription/views.py index a2716ed4..76e26ea1 100644 --- a/subscription/views.py +++ b/subscription/views.py @@ -106,7 +106,7 @@ class NewSubscription(CreateView): def dispatch(self, request, *arg, **kwargs): res = super(NewSubscription, self).dispatch(request, *arg, **kwargs) - if request.user.is_in_group(settings.SITH_MAIN_BOARD_GROUP): + if request.user.can_create_subscription: return res raise PermissionDenied