Patched meeting/ajax to close permissions vulnerability. Tweaked tests to check the right functionality given the permissions policy currently in trunk
- Legacy-Id: 7456
This commit is contained in:
Robert Sparks
parent
a0311b7ee8
commit
1a3c2ce431
|
|
@ -51,9 +51,12 @@ def readonly(request, meeting_num, schedule_id):
|
|||
'owner_href': request.build_absolute_uri(schedule.owner.json_url()),
|
||||
'read_only': read_only})
|
||||
|
||||
@role_required('Area Director','Secretariat')
|
||||
@dajaxice_register
|
||||
def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=False):
|
||||
|
||||
if not has_role(request.user,('Area Director','Secretariat')):
|
||||
return json.dumps({'error':'no permission'})
|
||||
|
||||
schedule = get_object_or_404(Schedule, pk = int(schedule_id))
|
||||
meeting = schedule.meeting
|
||||
cansee,canedit = agenda_permissions(meeting, schedule, request.user)
|
||||
|
|
@ -74,9 +77,12 @@ def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=Fal
|
|||
|
||||
|
||||
|
||||
@role_required('Area Director','Secretariat')
|
||||
@dajaxice_register
|
||||
def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None, extended_from_id=None, duplicate=False):
|
||||
|
||||
if not has_role(request.user,('Area Director','Secretariat')):
|
||||
return json.dumps({'error':'no permission'})
|
||||
|
||||
schedule = get_object_or_404(Schedule, pk = int(schedule_id))
|
||||
meeting = schedule.meeting
|
||||
ss_id = 0
|
||||
|
|
@ -133,9 +139,12 @@ def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None,
|
|||
|
||||
return json.dumps({'message':'valid'})
|
||||
|
||||
@role_required('Secretariat')
|
||||
@dajaxice_register
|
||||
def update_timeslot_purpose(request, timeslot_id=None, purpose=None):
|
||||
|
||||
if not has_role(request.user,'Secretariat'):
|
||||
return json.dumps({'error':'no permission'})
|
||||
|
||||
ts_id = int(timeslot_id)
|
||||
try:
|
||||
timeslot = TimeSlot.objects.get(pk=ts_id)
|
||||
|
|
|
|||
|
|
@ -50,8 +50,16 @@ class ApiTests(TestCase):
|
|||
self.assertEqual(r.status_code, 200)
|
||||
self.assertTrue("error" in json.loads(r.content))
|
||||
|
||||
# Until the next agenda merge, the access permissions on the function under
|
||||
# test only allow the secretariat to make changes.
|
||||
# Tweaking the test data here instead of in make_meeting_test_data to simplify
|
||||
# returning to the intended test scenario after that merge
|
||||
test_schedule = mars_scheduled.schedule
|
||||
test_schedule.owner=Person.objects.get(user__username='secretary')
|
||||
test_schedule.save()
|
||||
|
||||
# move to ames
|
||||
self.client.login(remote_user="plain")
|
||||
self.client.login(remote_user="secretary")
|
||||
r = do_post(to=ames_scheduled)
|
||||
self.assertEqual(r.status_code, 200)
|
||||
self.assertTrue("error" not in json.loads(r.content))
|
||||
|
|
@ -60,7 +68,7 @@ class ApiTests(TestCase):
|
|||
self.assertEqual(ScheduledSession.objects.get(pk=ames_scheduled.pk).session, session)
|
||||
|
||||
# unschedule
|
||||
self.client.login(remote_user="plain")
|
||||
self.client.login(remote_user="secretary")
|
||||
r = do_post(to=None)
|
||||
self.assertEqual(r.status_code, 200)
|
||||
self.assertTrue("error" not in json.loads(r.content))
|
||||
|
|
|
|||
Loading…
Reference in a new issue