0004-manager-check-authentication-level-in-PermissionMixi.patch

Valentin Deniaud, 28 May 2019 05:24 PM

View differences: inline side by side

Subject: [PATCH 4/8] manager: check authentication level in PermissionMixin
 (#33515)

Authentication level checks should be added where PermissionDenied
exceptions are raised, since they throw a similar access control
exception. In most cases we are not going to check them, for example
when we display buttons.
This commit could be enough, but sadly it isn't. We will have to account
for responses opening in popups, and for some views that rely on
can_{action} for permission control.

 src/authentic2/manager/views.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

     from authentic2.data_transfer import export_site, import_site, DataImportError, ImportContext
     from authentic2.forms.profile import modelform_factory
     from authentic2.utils import redirect, batch_queryset
     from authentic2.utils import redirect, batch_queryset, login_require
     from authentic2.decorators import json as json_view
     from authentic2 import hooks
-...
         permissions = None
         def authorize(self, request, *args, **kwargs):
             auth_level = request.session.get('auth_level', 1)
             if hasattr(self, 'model'):
                 app_label = self.model._meta.app_label
                 model_name = self.model._meta.model_name
-...
                                                             self.object)
                     if self.permissions \
                             and not request.user.has_perms(
                                 self.permissions, self.object):
                                 self.permissions, self.object, auth_level=auth_level):
                         raise PermissionDenied
                 elif self.permissions \
                         and not request.user.has_perm_any(self.permissions):
                         and not request.user.has_perm_any(self.permissions, auth_level=auth_level):
                     raise PermissionDenied
             else:
                 if self.permissions \
                         and not request.user.has_perm_any(self.permissions):
                         and not request.user.has_perm_any(self.permissions, auth_level=auth_level):
                     raise PermissionDenied
         def dispatch(self, request, *args, **kwargs):
             response = self.authorize(request, *args, **kwargs)
             try:
                 response = self.authorize(request, *args, **kwargs)
             except InsufficientAuthLevel:
                 current_auth_level = request.session.get('auth_level', 1)
                 return login_require(request, params={'auth_level': current_auth_level + 1})
             if response is not None:
                 return response
             return super(PermissionMixin, self).dispatch(request, *args, **kwargs)

Project

General

Profile

Produits Entr'ouvert » Authentic 2

0004-manager-check-authentication-level-in-PermissionMixi.patch