Closed dmr-x closed 4 years ago
@artlogic: as mentioned, this was a 1-line change.
I tested the functionality before/after the change. It indeed was a hole that let anyone make a grant for any project (including without being logged in). With the fix, an unauthorized user gets a 403.
FYI, here's a quick&dirty grep
that imo confirms this was the only problematic case.
$ git grep 'class .*View' | grep -vF UserPassesTestMixin
coldfront/core/allocation/views.py:class AllocationListView(LoginRequiredMixin, ListView):
coldfront/core/project/views.py:class ProjectListView(LoginRequiredMixin, ListView):
coldfront/core/project/views.py:class ProjectArchivedListView(LoginRequiredMixin, ListView):
coldfront/core/user/views.py:class UserProfile(TemplateView):
Submitted to upstream: https://github.com/ubccr/coldfront/pull/208
commit message: (thanks github for copying it here for me!)