nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-03-11 09:04:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent anonymous users from accessing any setup page

Browse Source 
Anonymous users were able to access pages that used
the 'public' decorator of stronghold. If such a page
showed the installation routine of the setup module
they were able to access and use it, in other words:
Anonymous users were able to install software.
This commit is contained in:
fonfon 2016-12-25 19:51:21 +01:00 committed by James Valleroy
parent 8450b1e4c9
commit da91981ff5
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plinth/middleware.py
View File

@ -21,6 +21,7 @@ Django middleware to show pre-setup message and setup progress.
from django import urls
from django.contrib import messages
from django.contrib.auth.decorators import login_required
from django.utils.translation import ugettext_lazy as _
import logging
@ -75,5 +76,6 @@ class SetupMiddleware(object):
if module.setup_helper.get_state() == 'up-to-date':
return
view = views.SetupView.as_view()
# Only allow logged-in users to access any setup page
view = login_required(views.SetupView.as_view())
return view(request, setup_helper=module.setup_helper)