altf4arnold/datatracker
1
0
Fork 0
Code Issues Pull requests Actions 3 Packages Projects Releases Wiki Activity

Merged in [16649] from rjsparks@nostrum.com:

Browse source 
Guard against attempts to use the review request view with a ReviewRequest id that does not match the document for the ReviewRequest. This would have exposed #2776 much earlier.
 - Legacy-Id: 16710
Note: SVN reference [16649] has been migrated to Git commit 01ceeba131
This commit is contained in:
Henrik Levkowetz 2019-09-05 22:59:59 +00:00
parent 3349d64479 01ceeba131
commit 1c38387279
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ietf/doc/views_review.py
View file

@ -12,7 +12,7 @@ import email.utils
import debug # pyflakes:ignore
from django.http import HttpResponseForbidden, JsonResponse
from django.http import HttpResponseForbidden, JsonResponse, Http404
from django.shortcuts import render, get_object_or_404, redirect
from django import forms
from django.conf import settings
@ -186,6 +186,8 @@ def review_request_forced_login(request, name, request_id):
def review_request(request, name, request_id):
doc = get_object_or_404(Document, name=name)
review_req = get_object_or_404(ReviewRequest, pk=request_id)
if review_req.doc != doc:
raise Http404('The indicated ReviewRequest is not a request for the indicated document')
can_manage_request = can_manage_review_requests_for_team(request.user, review_req.team)