search

barseghyanartur / django-fobi

Form generator/builder application for Django done right: customisable, modular, user- and developer- friendly.
https://pypi.python.org/pypi/django-fobi
485 stars 112 forks source link

Class based view dashboard can be reached by anonymous #300

Closed sveetch closed 1 year ago

sveetch commented 1 year ago

Bug Report

Expected behavior/code

The class base view which implements the Dashboard should be reachable only from logged in user (at least).

Actual Behavior

Everyone can reach the dashboard when it has be mounted from class based view urls. Opposed to the old function view which correctly check for login required and permissions.

Steps to Reproduce

  1. Install django-fobi and mount it using urls for class based views;
  2. Run the Django server and without to be logged as an user, go to the fobi dashboard;
  3. You can reach the dashboard, fortunately it is empty from any data;

Environment

Possible Solution

It seems pretty simple as adding the missing PermissionMixin inheritance, so just changing:

https://github.com/barseghyanartur/django-fobi/blob/8208893aed6930432d5ea8662bf7058d8165ed10/src/fobi/views/class_based.py#L242

To:

class DashboardView(PermissionMixin, ListView):
barseghyanartur commented 1 year ago

Thanks for reporting this. You're totally right. I think I missed that one.

barseghyanartur commented 1 year ago

@sveetch:

Released in 0.19.5.

sveetch commented 1 year ago

Nice responsiveness, thanks for the quick release !