Fixed security issue #2850: Comments were shown for unprivileged users.
This commit is contained in:
parent
624fcc663b
commit
c6b1df9e24
@ -11,6 +11,7 @@ Version 2.1 (unreleased)
|
|||||||
Agenda:
|
Agenda:
|
||||||
- Added button to remove all speakers from a list of speakers.
|
- Added button to remove all speakers from a list of speakers.
|
||||||
- Added option to create or edit agenda items as subitems of others.
|
- Added option to create or edit agenda items as subitems of others.
|
||||||
|
- Fixed security issue: Comments were shown for unprivileged users.
|
||||||
|
|
||||||
Core:
|
Core:
|
||||||
- Added support for multiple projectors.
|
- Added support for multiple projectors.
|
||||||
|
@ -30,7 +30,14 @@ class ItemAccessPermissions(BaseAccessPermissions):
|
|||||||
if (has_perm(user, 'agenda.can_see') and
|
if (has_perm(user, 'agenda.can_see') and
|
||||||
(not full_data['is_hidden'] or
|
(not full_data['is_hidden'] or
|
||||||
has_perm(user, 'agenda.can_see_hidden_items'))):
|
has_perm(user, 'agenda.can_see_hidden_items'))):
|
||||||
|
if has_perm(user, 'agenda.can_manage'):
|
||||||
data = full_data
|
data = full_data
|
||||||
|
else:
|
||||||
|
# Strip out item comments for unprivileged users.
|
||||||
|
data = {}
|
||||||
|
for key in full_data.keys():
|
||||||
|
if key != 'comment':
|
||||||
|
data[key] = full_data[key]
|
||||||
else:
|
else:
|
||||||
data = None
|
data = None
|
||||||
return data
|
return data
|
||||||
|
@ -42,6 +42,14 @@ class RetrieveItem(TestCase):
|
|||||||
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
|
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
|
||||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
|
def test_normal_by_anonymous_cant_see_agenda_comments(self):
|
||||||
|
self.item.type = Item.AGENDA_ITEM
|
||||||
|
self.item.comment = 'comment_gbiejd67gkbmsogh8374jf$kd'
|
||||||
|
self.item.save()
|
||||||
|
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
self.assertTrue(response.data.get('comment') is None)
|
||||||
|
|
||||||
|
|
||||||
class TestDBQueries(TestCase):
|
class TestDBQueries(TestCase):
|
||||||
"""
|
"""
|
||||||
|
Loading…
Reference in New Issue
Block a user