Fix mp security by Aabu

zestedesavoir · Oct 18, 2022 · d7a33db · d7a33db
1 parent e78c57a
commit d7a33db
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/zds/mp/views.py b/zds/mp/views.py
@@ -156,6 +156,8 @@ def dispatch(self, request, *args, **kwargs):
 
     def post(self, request, *args, **kwargs):
         topic = self.get_object()
+        if not topic.is_participant(self.get_current_user()):
+            raise PermissionDenied
         self.perform_destroy(topic)
         messages.success(request, _("Vous avez quitté la conversation avec succès."))
         return redirect(reverse("mp:list"))
@@ -216,7 +218,8 @@ def get_queryset(self):
 
     def post(self, request, *args, **kwargs):
         for topic in self.get_queryset():
-            self.perform_destroy(topic)
+            if topic.is_participant(self.get_current_user()):
+                self.perform_destroy(topic)
         return redirect(reverse("mp:list"))
 
     def get_current_user(self):