From 1a3c2ce431c6e0f0bc9ceac9f4e24248f89367af Mon Sep 17 00:00:00 2001
From: Robert Sparks <rjsparks@nostrum.com>
Date: Thu, 13 Mar 2014 17:39:34 +0000
Subject: [PATCH] Patched meeting/ajax to close permissions vulnerability.
 Tweaked tests to check the right functionality given the permissions policy
 currently in trunk  - Legacy-Id: 7456

---
 ietf/meeting/ajax.py      | 15 ++++++++++++---
 ietf/meeting/tests_api.py | 12 ++++++++++--
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/ietf/meeting/ajax.py b/ietf/meeting/ajax.py
index a5794a7900..7b0a112275 100644
--- a/ietf/meeting/ajax.py
+++ b/ietf/meeting/ajax.py
@@ -51,9 +51,12 @@ def readonly(request, meeting_num, schedule_id):
          'owner_href':  request.build_absolute_uri(schedule.owner.json_url()),
          'read_only':   read_only})
 
-@role_required('Area Director','Secretariat')
 @dajaxice_register
 def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=False):
+
+    if not has_role(request.user,('Area Director','Secretariat')):
+        return json.dumps({'error':'no permission'})
+
     schedule = get_object_or_404(Schedule, pk = int(schedule_id))
     meeting  = schedule.meeting
     cansee,canedit = agenda_permissions(meeting, schedule, request.user)
@@ -74,9 +77,12 @@ def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=Fal
 
 
 
-@role_required('Area Director','Secretariat')
 @dajaxice_register
 def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None, extended_from_id=None, duplicate=False):
+
+    if not has_role(request.user,('Area Director','Secretariat')):
+        return json.dumps({'error':'no permission'})
+
     schedule = get_object_or_404(Schedule, pk = int(schedule_id))
     meeting  = schedule.meeting
     ss_id = 0
@@ -133,9 +139,12 @@ def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None,
 
     return json.dumps({'message':'valid'})
 
-@role_required('Secretariat')
 @dajaxice_register
 def update_timeslot_purpose(request, timeslot_id=None, purpose=None):
+
+    if not has_role(request.user,'Secretariat'):
+        return json.dumps({'error':'no permission'})
+
     ts_id = int(timeslot_id)
     try:
        timeslot = TimeSlot.objects.get(pk=ts_id)
diff --git a/ietf/meeting/tests_api.py b/ietf/meeting/tests_api.py
index 01699928fe..61b9619c93 100644
--- a/ietf/meeting/tests_api.py
+++ b/ietf/meeting/tests_api.py
@@ -50,8 +50,16 @@ def do_post(to):
         self.assertEqual(r.status_code, 200)
         self.assertTrue("error" in json.loads(r.content))
 
+        # Until the next agenda merge, the access permissions on the function under
+        # test only allow the secretariat to make changes.
+        # Tweaking the test data here instead of in make_meeting_test_data to simplify
+        # returning to the intended test scenario after that merge
+        test_schedule = mars_scheduled.schedule
+        test_schedule.owner=Person.objects.get(user__username='secretary')
+        test_schedule.save()
+
         # move to ames
-        self.client.login(remote_user="plain")
+        self.client.login(remote_user="secretary")
         r = do_post(to=ames_scheduled)
         self.assertEqual(r.status_code, 200)
         self.assertTrue("error" not in json.loads(r.content))
@@ -60,7 +68,7 @@ def do_post(to):
         self.assertEqual(ScheduledSession.objects.get(pk=ames_scheduled.pk).session, session)
 
         # unschedule
-        self.client.login(remote_user="plain")
+        self.client.login(remote_user="secretary")
         r = do_post(to=None)
         self.assertEqual(r.status_code, 200)
         self.assertTrue("error" not in json.loads(r.content))