From bc939c08c6fbf3a8e3de8e2411f61f09952fbdd6 Mon Sep 17 00:00:00 2001 From: Tobias Bengfort Date: Mon, 16 Aug 2021 16:49:20 +0200 Subject: [PATCH] do not skip privacy level check on unauthenticated user We do not currently use this mixin without also requiring authentication. Still this is a potential footgun. Note that PermissionRequiredMixin must come *after* this one, so in thise code the regulat authentication/permission checks have not yet run. --- castellum/subjects/mixins.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/castellum/subjects/mixins.py b/castellum/subjects/mixins.py index 3927cb736..60bf2f4f3 100644 --- a/castellum/subjects/mixins.py +++ b/castellum/subjects/mixins.py @@ -20,7 +20,6 @@ # . from django.conf import settings -from django.core.exceptions import PermissionDenied from django.urls import reverse from django.utils.functional import cached_property from django.views.generic import UpdateView @@ -36,6 +35,8 @@ from .models import Subject class SubjectMixin: """Use this on every view that represents a subject. + Requires ``AccessMixin``. + - set ``self.subject`` - check privacy level """ @@ -49,9 +50,10 @@ class SubjectMixin: return obj.subject def dispatch(self, request, *args, **kwargs): - if request.user.is_authenticated: - if not request.user.has_privacy_level(self.subject.privacy_level): - raise PermissionDenied + if not request.user.is_authenticated: + return self.handle_no_permission() + if not request.user.has_privacy_level(self.subject.privacy_level): + return self.handle_no_permission() return super().dispatch(request, *args, **kwargs) def get_context_data(self, **kwargs): -- GitLab