Add missing auth mixins to GrantCreateView

arsmentis / coldfront

HPC Resource Allocation System

GNU General Public License v3.0

0 stars 0 forks source link

Add missing auth mixins to GrantCreateView #10

Closed dmr-x closed 4 years ago

dmr-x commented 4 years ago

commit message: (thanks github for copying it here for me!)

The test_func method was defined, but without the UserPassesTestMixin,
Djano wasn't utilizing it.

As a result, any user could create a grant for any project, by using the
proper url (with the project primary key in the appropriate place).

Additionally, the LoginRequiredMixin was absent, allowing anyone to make
such a change.

dmr-x commented 4 years ago

@artlogic: as mentioned, this was a 1-line change.

I tested the functionality before/after the change. It indeed was a hole that let anyone make a grant for any project (including without being logged in). With the fix, an unauthorized user gets a 403.

dmr-x commented 4 years ago

FYI, here's a quick&dirty grep that imo confirms this was the only problematic case.

$ git grep 'class .*View' | grep -vF UserPassesTestMixin
coldfront/core/allocation/views.py:class AllocationListView(LoginRequiredMixin, ListView):
coldfront/core/project/views.py:class ProjectListView(LoginRequiredMixin, ListView):
coldfront/core/project/views.py:class ProjectArchivedListView(LoginRequiredMixin, ListView):
coldfront/core/user/views.py:class UserProfile(TemplateView):

artlogic commented 4 years ago

Submitted to upstream: https://github.com/ubccr/coldfront/pull/208