Admin import_index and import_from_csv urls are accessible by users not having sufficient permissions for logging in to wagtail admin [Security Issue] #580
Url patterns import_index and import_from_csv that are defined in admin_urls.py point to View functions that are decorated using Django's login_required decorator. Using this decorator denies access to these URLs by unauthenticated users however it does not check the user's permission. This bug allows an authenticated user with insufficient permissions to log into the Wagtail admin import pages from CSV files.
Steps to reproduce
Steps to reproduce the behavior:
Create a user without "wagtailadmin" permission (which is the required permission to log into the Wagtail admin. You can use django-admin at HTTP://127.0.0.1:8000/django-admin/ and log in with superuser to create a simple user on a simple coderedcms project created with coderedcms start mysite.
Logout.
Go to http://127.0.0.1:8000/admin/ or your website's Wagtail admin and enter the username and password for the user you just created.
As you see this user can't log into the Wagtail admin due to not having wagtailadmin permission.
Like any other page in the Wagtail admin area, you should not be able to see these pages without sufficient permissions, instead, you should be redirected to the login page.
Url patterns import_index and import_from_csv that are defined in admin_urls.py point to View functions that are decorated using Django's login_required decorator. Using this decorator denies access to these URLs by unauthenticated users however it does not check the user's permission. This bug allows an authenticated user with insufficient permissions to log into the Wagtail admin import pages from CSV files.
Steps to reproduce
Steps to reproduce the behavior:
coderedcms start mysite
.Expected behavior
Like any other page in the Wagtail admin area, you should not be able to see these pages without sufficient permissions, instead, you should be redirected to the login page.