nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-06-03 10:50:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Deny access to non-admin users to other's pages

Browse Source 
- This checks that the user making the request is the same user as the
  one logged in and prevents access to the pages of other users if its
  not admin
This commit is contained in:
lispyclouds 2017-02-14 08:17:17 +05:30 committed by Sunil Mohan Adapa
parent da2a63bd96
commit 40ceb9a152
No known key found for this signature in database
GPG Key ID: 43EA1CFF0AA7C5F2
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
plinth/modules/users/views.py
View File

@ -19,6 +19,7 @@ from django.contrib import messages
from django.contrib.auth import update_session_auth_hash
from django.contrib.auth.models import User
from django.contrib.messages.views import SuccessMessageMixin
from django.core.exceptions import PermissionDenied
from django.urls import reverse, reverse_lazy
from django.views.generic.edit import (CreateView, DeleteView, UpdateView,
FormView)
@ -80,6 +81,13 @@ class UserUpdate(ContextMixin, SuccessMessageMixin, UpdateView):
success_message = ugettext_lazy('User %(username)s updated.')
title = ugettext_lazy('Edit User')
def dispatch(self, request, *args, **kwargs):
if self.request.user.get_username() != self.kwargs['slug'] \
and not self.request.user.groups.filter(name='admin').exists():
raise PermissionDenied
return super(UserUpdate, self).dispatch(request, *args, **kwargs)
def get_form_kwargs(self):
"""Make the requst object available to the form."""
kwargs = super(UserUpdate, self).get_form_kwargs()
@ -143,6 +151,13 @@ class UserChangePassword(ContextMixin, SuccessMessageMixin, FormView):
title = ugettext_lazy('Change Password')
success_message = ugettext_lazy('Password changed successfully.')
def dispatch(self, request, *args, **kwargs):
if self.request.user.get_username() != self.kwargs['slug'] \
and not self.request.user.groups.filter(name='admin').exists():
raise PermissionDenied
return super(UserChangePassword, self).dispatch(request, *args, **kwargs)
def get_form_kwargs(self):
"""Make the user object available to the form."""
kwargs = super(UserChangePassword, self).get_form_kwargs()