Merged [7456] from rjsparks@nostrum.com: Patched meeting/ajax to close permissions vulnerability. Tweaked tests to check the right functionality given the permissions policy currently in trunk

- Legacy-Id: 7513 Note: SVN reference [7456] has been migrated to Git commit 1a3c2ce431
2014-03-18 20:13:51 +00:00 · 2014-03-18 20:13:51 +00:00 · 86d8d7509f
parent ba43ac0de3 1a3c2ce431
commit 86d8d7509f
2 changed files with 22 additions and 5 deletions
--- a/ietf/meeting/ajax.py
+++ b/ietf/meeting/ajax.py
@ -51,9 +51,12 @@ def readonly(request, meeting_num, schedule_id):
         'owner_href':  request.build_absolute_uri(schedule.owner.json_url()),
         'read_only':   read_only})

-@role_required('Area Director','Secretariat')
@dajaxice_register
 def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=False):
+
+    if not has_role(request.user,('Area Director','Secretariat')):
+        return json.dumps({'error':'no permission'})
+
    schedule = get_object_or_404(Schedule, pk = int(schedule_id))
    meeting  = schedule.meeting
    cansee,canedit = agenda_permissions(meeting, schedule, request.user)
@ -74,9 +77,12 @@ def update_timeslot_pinned(request, schedule_id, scheduledsession_id, pinned=Fal



-@role_required('Area Director','Secretariat')
@dajaxice_register
 def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None, extended_from_id=None, duplicate=False):
+
+    if not has_role(request.user,('Area Director','Secretariat')):
+        return json.dumps({'error':'no permission'})
+
    schedule = get_object_or_404(Schedule, pk = int(schedule_id))
    meeting  = schedule.meeting
    ss_id = 0
@ -133,9 +139,12 @@ def update_timeslot(request, schedule_id, session_id, scheduledsession_id=None,

    return json.dumps({'message':'valid'})

-@role_required('Secretariat')
@dajaxice_register
 def update_timeslot_purpose(request, timeslot_id=None, purpose=None):
+
+    if not has_role(request.user,'Secretariat'):
+        return json.dumps({'error':'no permission'})
+
    ts_id = int(timeslot_id)
    try:
       timeslot = TimeSlot.objects.get(pk=ts_id)
--- a/ietf/meeting/tests_api.py
+++ b/ietf/meeting/tests_api.py
@ -50,8 +50,16 @@ class ApiTests(TestCase):
        self.assertEqual(r.status_code, 200)
        self.assertTrue("error" in json.loads(r.content))

+        # Until the next agenda merge, the access permissions on the function under
+        # test only allow the secretariat to make changes.
+        # Tweaking the test data here instead of in make_meeting_test_data to simplify
+        # returning to the intended test scenario after that merge
+        test_schedule = mars_scheduled.schedule
+        test_schedule.owner=Person.objects.get(user__username='secretary')
+        test_schedule.save()
+
        # move to ames
-        self.client.login(remote_user="plain")
+        self.client.login(remote_user="secretary")
        r = do_post(to=ames_scheduled)
        self.assertEqual(r.status_code, 200)
        self.assertTrue("error" not in json.loads(r.content))
@ -60,7 +68,7 @@ class ApiTests(TestCase):
        self.assertEqual(ScheduledSession.objects.get(pk=ames_scheduled.pk).session, session)

        # unschedule
-        self.client.login(remote_user="plain")
+        self.client.login(remote_user="secretary")
        r = do_post(to=None)
        self.assertEqual(r.status_code, 200)
        self.assertTrue("error" not in json.loads(r.content))