Patched meeting/ajax to close permissions vulnerability. Tweaked test…

…s to check the right functionality given the permissions policy currently in trunk - Legacy-Id: 7456
ietf-tools · Mar 13, 2014 · 1a3c2ce · 1a3c2ce
1 parent a0311b7
commit 1a3c2ce
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 5 deletions.
diff --git a/ietf/meeting/ajax.py b/ietf/meeting/ajax.py
@@ -51,9 +51,12 @@ def readonly(request, meeting_num, schedule_id):
          'owner_href':  request.build_absolute_uri(schedule.owner.json_url()),
          'read_only':   read_only})
 
-@role_required('Area Director','Secretariat')
 @dajaxice_register
 def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=False):
+
+    if not has_role(request.user,('Area Director','Secretariat')):
+        return json.dumps({'error':'no permission'})
+
     schedule = get_object_or_404(Schedule, pk = int(schedule_id))
     meeting  = schedule.meeting
     cansee,canedit = agenda_permissions(meeting, schedule, request.user)
@@ -74,9 +77,12 @@ def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=Fal
 
 
 
-@role_required('Area Director','Secretariat')
 @dajaxice_register
 def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None, extended_from_id=None, duplicate=False):
+
+    if not has_role(request.user,('Area Director','Secretariat')):
+        return json.dumps({'error':'no permission'})
+
     schedule = get_object_or_404(Schedule, pk = int(schedule_id))
     meeting  = schedule.meeting
     ss_id = 0
@@ -133,9 +139,12 @@ def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None,
 
     return json.dumps({'message':'valid'})
 
-@role_required('Secretariat')
 @dajaxice_register
 def update_timeslot_purpose(request, timeslot_id=None, purpose=None):
+
+    if not has_role(request.user,'Secretariat'):
+        return json.dumps({'error':'no permission'})
+
     ts_id = int(timeslot_id)
     try:
        timeslot = TimeSlot.objects.get(pk=ts_id)

diff --git a/ietf/meeting/tests_api.py b/ietf/meeting/tests_api.py
@@ -50,8 +50,16 @@ def do_post(to):
         self.assertEqual(r.status_code, 200)
         self.assertTrue("error" in json.loads(r.content))
 
+        # Until the next agenda merge, the access permissions on the function under
+        # test only allow the secretariat to make changes.
+        # Tweaking the test data here instead of in make_meeting_test_data to simplify
+        # returning to the intended test scenario after that merge
+        test_schedule = mars_scheduled.schedule
+        test_schedule.owner=Person.objects.get(user__username='secretary')
+        test_schedule.save()
+
         # move to ames
-        self.client.login(remote_user="plain")
+        self.client.login(remote_user="secretary")
         r = do_post(to=ames_scheduled)
         self.assertEqual(r.status_code, 200)
         self.assertTrue("error" not in json.loads(r.content))
@@ -60,7 +68,7 @@ def do_post(to):
         self.assertEqual(ScheduledSession.objects.get(pk=ames_scheduled.pk).session, session)
 
         # unschedule
-        self.client.login(remote_user="plain")
+        self.client.login(remote_user="secretary")
         r = do_post(to=None)
         self.assertEqual(r.status_code, 200)
         self.assertTrue("error" not in json.loads(r.content))