Skip to content
Browse files

Added a separate check if user has change permission.

  • Loading branch information...
1 parent 7392742 commit 83dd70a2a876da89a8804ac929ffbab99d75732a @bartTC bartTC committed Apr 22, 2012
Showing with 7 additions and 1 deletion.
  1. +7 −1 salmonella/views.py
View
8 salmonella/views.py
@@ -1,7 +1,7 @@
from django.core.urlresolvers import reverse
from django.conf import settings
from django.contrib.auth.decorators import user_passes_test
-from django.http import HttpResponseBadRequest
+from django.http import HttpResponseBadRequest, HttpResponseForbidden
from django.shortcuts import render_to_response
from django.db.models import get_model
@@ -32,11 +32,17 @@ def label_view(request, app_name, model_name, template_name="", multi=False,
msg = 'No list or only invalid ids of objects given'
return HttpResponseBadRequest(settings.DEBUG and msg or '')
+ # Make sure this model exists and the user has 'change' permission for it.
+ # If he doesnt have this permission, Django would not display the
+ # change_list in the popup and the user were never able to select objects.
model = get_model(app_name, model_name)
if not model:
msg = 'Model %s.%s does not exist.' % (app_name, model_name)
return HttpResponseBadRequest(settings.DEBUG and msg or '')
+ if not request.user.has_perm('%s.change_%s' % (app_name, model_name)):
+ return HttpResponseForbidden()
+
try:
if multi:
model_template = "salmonella/%s/multi_%s.html" % (app_name, model_name)

1 comment on commit 83dd70a

@bartTC
Lincoln Loop member
bartTC commented on 83dd70a Apr 22, 2012

This commit fixed a loophole to get to data I have not permission for. For instance I could get a list of all usernames in the system by calling:

/admin/salmonella/auth/user/multiple/?id=1,2,3,4,5,...
Please sign in to comment.
Something went wrong with that request. Please try again.