Add some security

2025-10-31 15:50:03 +01:00 · 2025-02-13 00:39:05 +01:00
parent c841fb6068
commit 0ec771b5ee
1 changed files with 9 additions and 1 deletions
--- a/apps/member/forms.py
+++ b/apps/member/forms.py
@@ -44,7 +44,7 @@ class ProfileForm(forms.ModelForm):
    """
    A form for the extras field provided by the :model:`member.Profile` model.
    """
-    # Remove widget=forms.HiddenInput() if you want to use report frequency.
+
    report_frequency = forms.IntegerField(required=False, initial=0, label=_("Statement frequency (in days)"))

    last_report = forms.DateTimeField(required=False, disabled=True, label=_("Last statement date"))
@@ -66,6 +66,14 @@ class ProfileForm(forms.ModelForm):
        super().__init__(*args, **kwargs)
        self.fields['address'].widget.attrs.update({"placeholder": "4 avenue des Sciences, 91190 GIF-SUR-YVETTE"})
        self.fields['promotion'].widget.attrs.update({"max": timezone.now().year})
+    
+    def clean(self):
+        """Force the values of fields that the user does not have permission to modify.."""
+        cleaned_data = super().clean()
+        for field_name in self.fields.keys():
+            if not PermissionBackend.check_perm(self.request, f"member.change_profile_{field_name}", self.instance):
+                cleaned_data[field_name] = getattr(self.instance, field_name)  # Force the old value
+        return cleaned_data

    @transaction.atomic
    def save(self, commit=True):