From e14bffa33cbf66c4c54dbdafb5b7ea21b9631434 Mon Sep 17 00:00:00 2001 From: zhangtianli2006 Date: Fri, 14 Aug 2020 19:39:03 +0800 Subject: [PATCH 1/3] remove unused response Signed-off-by: zhangtianli2006 --- problem/serializers.py | 2 -- problem/views.py | 1 - 2 files changed, 3 deletions(-) diff --git a/problem/serializers.py b/problem/serializers.py index d62a0f5..8a61062 100644 --- a/problem/serializers.py +++ b/problem/serializers.py @@ -32,12 +32,10 @@ class ProblemDescriptionSerializer(serializers.ModelSerializer): class Meta: model = Problem fields = [ - "pid", "description", ] depth = 0 - read_only_fields = ["id"] class TagSerializer(serializers.ModelSerializer): diff --git a/problem/views.py b/problem/views.py index 0986e0c..f9ce4ff 100644 --- a/problem/views.py +++ b/problem/views.py @@ -163,7 +163,6 @@ def get(self, request): ts = TagSerializer(queryset, many=True) return Response({ - "detail": "Success", "count": queryset.count(), "res": ts.data }, status=status.HTTP_200_OK) \ No newline at end of file From ed0be91d23b147fe8c571ac7d64b43edf0807f14 Mon Sep 17 00:00:00 2001 From: zhangtianli2006 Date: Fri, 14 Aug 2020 20:04:36 +0800 Subject: [PATCH 2/3] response 403 when not admin changes own permition Signed-off-by: zhangtianli2006 --- account/tests.py | 2 +- account/views.py | 27 +++++++++++++++++++++++---- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/account/tests.py b/account/tests.py index ecd0a6d..5403cdd 100644 --- a/account/tests.py +++ b/account/tests.py @@ -169,7 +169,7 @@ def testL0_change_not_admin(self): request = self.factory.patch(self.base_url, data=request_data, format="json") force_authenticate(request, User.objects.get(username="testuser")) res = self.view(request, uid=2) - self.assertEqual(res.status_code, status.HTTP_204_NO_CONTENT) + self.assertEqual(res.status_code, status.HTTP_403_FORBIDDEN) target = User.objects.get(id=2) self.assertEqual(target.is_active, ac_data["is_active"]) diff --git a/account/views.py b/account/views.py index d199ed0..8338e0a 100644 --- a/account/views.py +++ b/account/views.py @@ -137,15 +137,34 @@ def post(self, request): def patch(self, request, uid): data = request.data user = get_object_or_404(User, id=uid) + if not request.user.has_perm("account.change_user"): if request.user.id != user.id: return Response({ "detail": "You have no permission to change this user" }, status=status.HTTP_403_FORBIDDEN) - - data.pop("is_active", None) - data.pop("is_staff", None) - data.pop("is_superuser", None) + + request_is_active = data.get("is_active") + request_is_staff = data.get("is_staff") + request_is_superuser = data.get("is_superuser") + + if request_is_active != None: + if request_is_active != user.is_active: + return Response({ + "detail": "You have no permission to change this user" + }, status=status.HTTP_403_FORBIDDEN) + + if request_is_staff != None: + if request_is_staff != user.is_active: + return Response({ + "detail": "You have no permission to change this user" + }, status=status.HTTP_403_FORBIDDEN) + + if request_is_superuser != None: + if request_is_superuser != user.is_active: + return Response({ + "detail": "You have no permission to change this user" + }, status=status.HTTP_403_FORBIDDEN) us = AccountSerializer(user, data=data, partial=True) us.is_valid(raise_exception=True) From 8beda5a6c6a723a6b0ba0e8c4137c5241607f922 Mon Sep 17 00:00:00 2001 From: zhangtianli2006 Date: Fri, 14 Aug 2020 20:37:54 +0800 Subject: [PATCH 3/3] fix permission bug Signed-off-by: zhangtianli2006 --- account/views.py | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/account/views.py b/account/views.py index 8338e0a..eb7d580 100644 --- a/account/views.py +++ b/account/views.py @@ -148,23 +148,20 @@ def patch(self, request, uid): request_is_staff = data.get("is_staff") request_is_superuser = data.get("is_superuser") - if request_is_active != None: - if request_is_active != user.is_active: - return Response({ - "detail": "You have no permission to change this user" - }, status=status.HTTP_403_FORBIDDEN) - - if request_is_staff != None: - if request_is_staff != user.is_active: - return Response({ - "detail": "You have no permission to change this user" - }, status=status.HTTP_403_FORBIDDEN) - - if request_is_superuser != None: - if request_is_superuser != user.is_active: - return Response({ - "detail": "You have no permission to change this user" - }, status=status.HTTP_403_FORBIDDEN) + if request_is_active != None and request_is_active != user.is_active: + return Response({ + "detail": "You have no permission to change this user" + }, status=status.HTTP_403_FORBIDDEN) + + if request_is_staff != None and request_is_staff != user.is_active: + return Response({ + "detail": "You have no permission to change this user" + }, status=status.HTTP_403_FORBIDDEN) + + if request_is_superuser != None and request_is_superuser != user.is_superuser: + return Response({ + "detail": "You have no permission to change this user" + }, status=status.HTTP_403_FORBIDDEN) us = AccountSerializer(user, data=data, partial=True) us.is_valid(raise_exception=True)