inpt/ponytracker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

user can tamper project and avoid unicity check

Browse source 
note: this is not a security issue as project is forced just after
This commit is contained in:
Élie Bouttier 2014-08-30 17:55:48 -07:00
parent 92ea48f89d
commit 88db4070a5
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
permissions/views.py
View file

@ -2,6 +2,7 @@ from django.shortcuts import render, redirect, get_object_or_404
from django.views.decorators.http import require_http_methods from django.views.decorators.http import require_http_methods
from django.contrib import messages from django.contrib import messages
from django.http import Http404, HttpResponse from django.http import Http404, HttpResponse
from django.core.exceptions import PermissionDenied
from permissions.models import * from permissions.models import *
@ -85,13 +86,12 @@ def project_perm_edit(request, project, id=None):
form = ProjectPermissionForm(request.POST or None, instance=perm, form = ProjectPermissionForm(request.POST or None, instance=perm,
initial={'project': project.id}) initial={'project': project.id})
if request.method == 'POST' and form.is_valid(): if request.method == 'POST' and form.is_valid():
if not form.cleaned_data['project'] == project:
raise PermissionDenied()
form.save()
if id: if id:
form.save()
messages.success(request, 'Permission updated successfully.') messages.success(request, 'Permission updated successfully.')
else: else:
perm = form.save(commit=False)
perm.project = project
perm.save()
messages.success(request, 'Permission added successfully.') messages.success(request, 'Permission added successfully.')
return redirect('list-project-permission', project.name) return redirect('list-project-permission', project.name)
name = request.POST.get('grantee_name') name = request.POST.get('grantee_name')