From 1a4b7c83e887e8c6683da1207c9578253d2d3dce Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 13 Sep 2021 23:37:27 +0200 Subject: [PATCH] [WEI] Fix critical security issue Signed-off-by: Yohann D'ANELLO --- apps/wei/templates/wei/weiclub_detail.html | 2 +- apps/wei/views.py | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apps/wei/templates/wei/weiclub_detail.html b/apps/wei/templates/wei/weiclub_detail.html index 9ffa7374..cd4b5efb 100644 --- a/apps/wei/templates/wei/weiclub_detail.html +++ b/apps/wei/templates/wei/weiclub_detail.html @@ -95,7 +95,7 @@ SPDX-License-Identifier: GPL-3.0-or-later {% endif %} - {% if can_validate_1a or True %} + {% if can_validate_1a %} {% trans "Attribute buses" %} {% endif %} {% endblock %} diff --git a/apps/wei/views.py b/apps/wei/views.py index 09fd9d56..b60b4a73 100644 --- a/apps/wei/views.py +++ b/apps/wei/views.py @@ -191,6 +191,10 @@ class WEIDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView): context["not_first_year"] = WEIMembership.objects.filter(user=self.request.user).exists() + qs = WEIMembership.objects.filter(club=club, registration__first_year=True, bus__isnull=True) + context["can_validate_1a"] = PermissionBackend.check_perm( + self.request, "wei.change_weimembership_bus", qs.first()) if qs.exists() else False + return context @@ -1181,7 +1185,10 @@ class WEI1AListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableView): def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context['club'] = self.club - context['bus_repartition_table'] = BusRepartitionTable(Bus.objects.filter(wei=self.club, size__gt=0).all()) + context['bus_repartition_table'] = BusRepartitionTable( + Bus.objects.filter(wei=self.club, size__gt=0) + .filter(PermissionBackend.filter_queryset(self.request, Bus, "view")) + .all()) return context