[WEI] Fix critical security issue

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-09-13 23:37:27 +02:00 · 2021-09-13 23:37:27 +02:00 · 1a4b7c83e8
parent 4c17e2a92b
commit 1a4b7c83e8
2 changed files with 9 additions and 2 deletions
--- a/apps/wei/templates/wei/weiclub_detail.html
+++ b/apps/wei/templates/wei/weiclub_detail.html
@ -95,7 +95,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 </div>
 {% endif %}
-    {% if can_validate_1a or True %}
+    {% if can_validate_1a %}
        <a href="{% url 'wei:wei_1A_list' pk=object.pk %}" class="btn btn-block btn-info">{% trans "Attribute buses" %}</a>
    {% endif %}
 {% endblock %}
--- a/apps/wei/views.py
+++ b/apps/wei/views.py
@ -191,6 +191,10 @@ class WEIDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
        context["not_first_year"] = WEIMembership.objects.filter(user=self.request.user).exists()
        qs = WEIMembership.objects.filter(club=club, registration__first_year=True, bus__isnull=True)
        context["can_validate_1a"] = PermissionBackend.check_perm(
            self.request, "wei.change_weimembership_bus", qs.first()) if qs.exists() else False
        return context
@ -1181,7 +1185,10 @@ class WEI1AListView(LoginRequiredMixin, ProtectQuerysetMixin, SingleTableView):
    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
        context['club'] = self.club
-        context['bus_repartition_table'] = BusRepartitionTable(Bus.objects.filter(wei=self.club, size__gt=0).all())
+        context['bus_repartition_table'] = BusRepartitionTable(
            Bus.objects.filter(wei=self.club, size__gt=0)
                       .filter(PermissionBackend.filter_queryset(self.request, Bus, "view"))
                       .all())
        return context