Merge pull request #2872 from normanjaeckel/AgendaComment
Fixed security issue #2850: Comments were shown for unprivileged users.
This commit is contained in:
commit
1672c2de66
@ -11,6 +11,7 @@ Version 2.1 (unreleased)
|
||||
Agenda:
|
||||
- Added button to remove all speakers from a list of speakers.
|
||||
- Added option to create or edit agenda items as subitems of others.
|
||||
- Fixed security issue: Comments were shown for unprivileged users.
|
||||
|
||||
Core:
|
||||
- Added support for multiple projectors.
|
||||
|
@ -30,7 +30,14 @@ class ItemAccessPermissions(BaseAccessPermissions):
|
||||
if (has_perm(user, 'agenda.can_see') and
|
||||
(not full_data['is_hidden'] or
|
||||
has_perm(user, 'agenda.can_see_hidden_items'))):
|
||||
data = full_data
|
||||
if has_perm(user, 'agenda.can_manage'):
|
||||
data = full_data
|
||||
else:
|
||||
# Strip out item comments for unprivileged users.
|
||||
data = {}
|
||||
for key in full_data.keys():
|
||||
if key != 'comment':
|
||||
data[key] = full_data[key]
|
||||
else:
|
||||
data = None
|
||||
return data
|
||||
|
@ -42,6 +42,14 @@ class RetrieveItem(TestCase):
|
||||
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
|
||||
def test_normal_by_anonymous_cant_see_agenda_comments(self):
|
||||
self.item.type = Item.AGENDA_ITEM
|
||||
self.item.comment = 'comment_gbiejd67gkbmsogh8374jf$kd'
|
||||
self.item.save()
|
||||
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
|
||||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||
self.assertTrue(response.data.get('comment') is None)
|
||||
|
||||
|
||||
class TestDBQueries(TestCase):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user