cst1/kpsul
1
0
Fork 0
forked from DGNum/gestioCOF
Code Pull requests Activity

Replace some 403 by 404 to avoid trigramme leaking

Browse source 
Fixes #224
This commit is contained in:
Martin Pépin 2019-10-05 01:25:36 +02:00
parent e8a9e808f5
commit 96adadce5e
No known key found for this signature in database
GPG key ID: E7520278B1774448
1 changed files with 6 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
kfet/views.py
View file

@ -10,7 +10,6 @@ from django.contrib.auth.decorators import login_required, permission_required
from django.contrib.auth.mixins import PermissionRequiredMixin from django.contrib.auth.mixins import PermissionRequiredMixin
from django.contrib.auth.models import Permission, User from django.contrib.auth.models import Permission, User
from django.contrib.messages.views import SuccessMessageMixin from django.contrib.messages.views import SuccessMessageMixin
from django.core.exceptions import PermissionDenied
from django.db import transaction from django.db import transaction
from django.db.models import Count, F, Prefetch, Sum from django.db.models import Count, F, Prefetch, Sum
from django.forms import formset_factory from django.forms import formset_factory
@ -303,7 +302,7 @@ def account_read(request, trigramme):
if not account.readable or ( if not account.readable or (
not request.user.has_perm("kfet.is_team") and request.user != account.user not request.user.has_perm("kfet.is_team") and request.user != account.user
): ):
raise PermissionDenied raise Http404
addcosts = ( addcosts = (
OperationGroup.objects.filter(opes__addcost_for=account, opes__canceled_at=None) OperationGroup.objects.filter(opes__addcost_for=account, opes__canceled_at=None)
@ -327,7 +326,7 @@ def account_update(request, trigramme):
# Checking permissions # Checking permissions
if not request.user.has_perm("kfet.is_team") and request.user != account.user: if not request.user.has_perm("kfet.is_team") and request.user != account.user:
raise PermissionDenied raise Http404
user_info_form = UserInfoForm(instance=account.user) user_info_form = UserInfoForm(instance=account.user)
@ -2226,7 +2225,7 @@ class AccountStatBalanceList(PkUrlMixin, SingleResumeStat):
def get_object(self, *args, **kwargs): def get_object(self, *args, **kwargs):
obj = super().get_object(*args, **kwargs) obj = super().get_object(*args, **kwargs)
if self.request.user != obj.user: if self.request.user != obj.user:
raise PermissionDenied raise Http404
return obj return obj
@method_decorator(login_required) @method_decorator(login_required)
@ -2345,7 +2344,7 @@ class AccountStatBalance(PkUrlMixin, JSONDetailView):
def get_object(self, *args, **kwargs): def get_object(self, *args, **kwargs):
obj = super().get_object(*args, **kwargs) obj = super().get_object(*args, **kwargs)
if self.request.user != obj.user: if self.request.user != obj.user:
raise PermissionDenied raise Http404
return obj return obj
@method_decorator(login_required) @method_decorator(login_required)
@ -2376,7 +2375,7 @@ class AccountStatOperationList(PkUrlMixin, SingleResumeStat):
def get_object(self, *args, **kwargs): def get_object(self, *args, **kwargs):
obj = super().get_object(*args, **kwargs) obj = super().get_object(*args, **kwargs)
if self.request.user != obj.user: if self.request.user != obj.user:
raise PermissionDenied raise Http404
return obj return obj
@method_decorator(login_required) @method_decorator(login_required)
@ -2439,7 +2438,7 @@ class AccountStatOperation(ScaleMixin, PkUrlMixin, JSONDetailView):
def get_object(self, *args, **kwargs): def get_object(self, *args, **kwargs):
obj = super().get_object(*args, **kwargs) obj = super().get_object(*args, **kwargs)
if self.request.user != obj.user: if self.request.user != obj.user:
raise PermissionDenied raise Http404
return obj return obj
@method_decorator(login_required) @method_decorator(login_required)