Fixed security issue #2850: Comments were shown for unprivileged users.

This commit is contained in:
Norman Jäckel 2017-01-15 09:50:20 +01:00
parent 624fcc663b
commit c6b1df9e24
3 changed files with 17 additions and 1 deletions

View File

@ -11,6 +11,7 @@ Version 2.1 (unreleased)
Agenda: Agenda:
- Added button to remove all speakers from a list of speakers. - Added button to remove all speakers from a list of speakers.
- Added option to create or edit agenda items as subitems of others. - Added option to create or edit agenda items as subitems of others.
- Fixed security issue: Comments were shown for unprivileged users.
Core: Core:
- Added support for multiple projectors. - Added support for multiple projectors.

View File

@ -30,7 +30,14 @@ class ItemAccessPermissions(BaseAccessPermissions):
if (has_perm(user, 'agenda.can_see') and if (has_perm(user, 'agenda.can_see') and
(not full_data['is_hidden'] or (not full_data['is_hidden'] or
has_perm(user, 'agenda.can_see_hidden_items'))): has_perm(user, 'agenda.can_see_hidden_items'))):
data = full_data if has_perm(user, 'agenda.can_manage'):
data = full_data
else:
# Strip out item comments for unprivileged users.
data = {}
for key in full_data.keys():
if key != 'comment':
data[key] = full_data[key]
else: else:
data = None data = None
return data return data

View File

@ -42,6 +42,14 @@ class RetrieveItem(TestCase):
response = self.client.get(reverse('item-detail', args=[self.item.pk])) response = self.client.get(reverse('item-detail', args=[self.item.pk]))
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_normal_by_anonymous_cant_see_agenda_comments(self):
self.item.type = Item.AGENDA_ITEM
self.item.comment = 'comment_gbiejd67gkbmsogh8374jf$kd'
self.item.save()
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue(response.data.get('comment') is None)
class TestDBQueries(TestCase): class TestDBQueries(TestCase):
""" """