Projet

Général

Profil

0004-manager-check-authentication-level-in-PermissionMixi.patch

Valentin Deniaud, 28 mai 2019 17:24

Télécharger (3,09 ko)

Voir les différences: 

Subject: [PATCH 4/8] manager: check authentication level in PermissionMixin
 (#33515)

Authentication level checks should be added where PermissionDenied
exceptions are raised, since they throw a similar access control
exception. In most cases we are not going to check them, for example
when we display buttons.
This commit could be enough, but sadly it isn't. We will have to account
for responses opening in popups, and for some views that rely on
can_{action} for permission control.

 src/authentic2/manager/views.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)
src/authentic2/manager/views.py
42 42 

  		




  43
  43
  
    
from authentic2.data_transfer import export_site, import_site, DataImportError, ImportContext

  		




  44
  44
  
    
from authentic2.forms.profile import modelform_factory

  		




  45
  
  
    
from authentic2.utils import redirect, batch_queryset

  		




  
  45
  
    
from authentic2.utils import redirect, batch_queryset, login_require

  		




  46
  46
  
    
from authentic2.decorators import json as json_view

  		




  47
  47
  
    
from authentic2 import hooks

  		




  48
  48
  
    

  		




  ......




  103
  103
  
    
    permissions = None

  		




  104
  104
  
    

  		




  105
  105
  
    
    def authorize(self, request, *args, **kwargs):

  		




  
  106
  
    
        auth_level = request.session.get('auth_level', 1)

  		




  106
  107
  
    
        if hasattr(self, 'model'):

  		




  107
  108
  
    
            app_label = self.model._meta.app_label

  		




  108
  109
  
    
            model_name = self.model._meta.model_name

  		




  ......




  124
  125
  
    
                                                        self.object)

  		




  125
  126
  
    
                if self.permissions \

  		




  126
  127
  
    
                        and not request.user.has_perms(

  		




  127
  
  
    
                            self.permissions, self.object):

  		




  
  128
  
    
                            self.permissions, self.object, auth_level=auth_level):

  		




  128
  129
  
    
                    raise PermissionDenied

  		




  129
  130
  
    
            elif self.permissions \

  		




  130
  
  
    
                    and not request.user.has_perm_any(self.permissions):

  		




  
  131
  
    
                    and not request.user.has_perm_any(self.permissions, auth_level=auth_level):

  		




  131
  132
  
    
                raise PermissionDenied

  		




  132
  133
  
    
        else:

  		




  133
  134
  
    
            if self.permissions \

  		




  134
  
  
    
                    and not request.user.has_perm_any(self.permissions):

  		




  
  135
  
    
                    and not request.user.has_perm_any(self.permissions, auth_level=auth_level):

  		




  135
  136
  
    
                raise PermissionDenied

  		




  136
  137
  
    

  		




  137
  138
  
    
    def dispatch(self, request, *args, **kwargs):

  		




  138
  
  
    
        response = self.authorize(request, *args, **kwargs)

  		




  
  139
  
    
        try:

  		




  
  140
  
    
            response = self.authorize(request, *args, **kwargs)

  		




  
  141
  
    
        except InsufficientAuthLevel:

  		




  
  142
  
    
            current_auth_level = request.session.get('auth_level', 1)

  		




  
  143
  
    
            return login_require(request, params={'auth_level': current_auth_level + 1})

  		




  139
  144
  
    
        if response is not None:

  		




  140
  145
  
    
            return response

  		




  141
  146
  
    
        return super(PermissionMixin, self).dispatch(request, *args, **kwargs)

  		




  142
  
  
    
-