Fix mp security by Aabu

zds/mp/tests/tests_views.py

@@ -625,6 +625,7 @@ class LeaveViewTest(TestCase):
     def setUp(self):
         self.profile1 = ProfileFactory()
         self.profile2 = ProfileFactory()
+        self.profile3 = ProfileFactory()
 
         self.anonymous_account = UserFactory(username=settings.ZDS_APP["member"]["anonymous_account"])
         self.bot_group = Group()
@@ -650,6 +651,14 @@ def test_denies_anonymous(self):
             response, reverse("member-login") + "?next=" + reverse("mp:leave", args=[1, "private-topic"])
         )
 
+    def test_denies_leave_topic_as_random_member(self):
+        self.client.force_login(self.profile3.user)
+
+        response = self.client.post(reverse("mp:leave", args=[self.topic1.pk, self.topic1.slug()]), follow=True)
+
+        self.assertEqual(403, response.status_code)
+        self.assertEqual(1, PrivateTopic.objects.filter(pk=self.topic1.pk).count())
+
     def test_fail_leave_topic_no_exist(self):
 
         response = self.client.post(reverse("mp:leave", args=[999, "private-topic"]))

zds/mp/views.py

@@ -156,6 +156,8 @@ def dispatch(self, request, *args, **kwargs):
 
     def post(self, request, *args, **kwargs):
         topic = self.get_object()
+        if not topic.is_participant(self.get_current_user()):
+            raise PermissionDenied
         self.perform_destroy(topic)
         messages.success(request, _("Vous avez quitté la conversation avec succès."))
         return redirect(reverse("mp:list"))