From 01ceeba1315428aa88ce09d674601cb4994429a1 Mon Sep 17 00:00:00 2001 From: Robert Sparks Date: Wed, 14 Aug 2019 16:06:13 +0000 Subject: [PATCH] Guard against attempts to use the review request view with a ReviewRequest id that does not match the document for the ReviewRequest. This would have exposed #2776 much earlier. Commit ready for merge. - Legacy-Id: 16649 --- ietf/doc/views_review.py | 4 +++- ietf/release/urls.py | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ietf/doc/views_review.py b/ietf/doc/views_review.py index d4ac64db6..9815941dc 100644 --- a/ietf/doc/views_review.py +++ b/ietf/doc/views_review.py @@ -12,7 +12,7 @@ import email.utils import debug # pyflakes:ignore -from django.http import HttpResponseForbidden, JsonResponse +from django.http import HttpResponseForbidden, JsonResponse, Http404 from django.shortcuts import render, get_object_or_404, redirect from django import forms from django.conf import settings @@ -186,6 +186,8 @@ def review_request_forced_login(request, name, request_id): def review_request(request, name, request_id): doc = get_object_or_404(Document, name=name) review_req = get_object_or_404(ReviewRequest, pk=request_id) + if review_req.doc != doc: + raise Http404('The indicated ReviewRequest is not a request for the indicated document') can_manage_request = can_manage_review_requests_for_team(request.user, review_req.team) diff --git a/ietf/release/urls.py b/ietf/release/urls.py index 34cb023e5..34d8605c7 100644 --- a/ietf/release/urls.py +++ b/ietf/release/urls.py @@ -14,6 +14,5 @@ urlpatterns = [ url(r'^(?P[0-9.]+.*)/$', views.release), url(r'^about/?$', TemplateView.as_view(template_name='release/about.html')), url(r'^stats/?$', views.stats), - url(r'^todo/?$', TemplateView.as_view(template_name='release/todo.html')), ]