From da91981ff517fd8f876b022d5adeaa1a3b55342f Mon Sep 17 00:00:00 2001
From: fonfon <blubb@fonfon.at>
Date: Sun, 25 Dec 2016 19:51:21 +0100
Subject: [PATCH] Prevent anonymous users from accessing any setup page

Anonymous users were able to access pages that used
the 'public' decorator of stronghold. If such a page
showed the installation routine of the setup module
they were able to access and use it, in other words:
Anonymous users were able to install software.
---
 plinth/middleware.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plinth/middleware.py b/plinth/middleware.py
index 8223095fc..b73b83ba9 100644
--- a/plinth/middleware.py
+++ b/plinth/middleware.py
@@ -21,6 +21,7 @@ Django middleware to show pre-setup message and setup progress.
 
 from django import urls
 from django.contrib import messages
+from django.contrib.auth.decorators import login_required
 from django.utils.translation import ugettext_lazy as _
 import logging
 
@@ -75,5 +76,6 @@ class SetupMiddleware(object):
         if module.setup_helper.get_state() == 'up-to-date':
             return
 
-        view = views.SetupView.as_view()
+        # Only allow logged-in users to access any setup page
+        view = login_required(views.SetupView.as_view())
         return view(request, setup_helper=module.setup_helper)