From b0a2df4cca3afda5687f4abb404548fa6135384b Mon Sep 17 00:00:00 2001
From: Tobias Bengfort <bengfort@mpib-berlin.mpg.de>
Date: Wed, 1 Sep 2021 13:07:04 +0200
Subject: [PATCH] fix: prevent users from choosing an arbitrary group for
 filters

This is a security issue because users were able to select groups from
other studies, bypassing permission checks.
---
 castellum/recruitment/forms.py                       | 1 -
 castellum/studies/templates/studies/filtergroup.html | 3 ---
 castellum/studies/views/subjectfilters.py            | 2 ++
 3 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/castellum/recruitment/forms.py b/castellum/recruitment/forms.py
index aa7a5368c..6f3133797 100644
--- a/castellum/recruitment/forms.py
+++ b/castellum/recruitment/forms.py
@@ -78,7 +78,6 @@ class SubjectFilterForm(forms.ModelForm):
     class Meta:
         model = SubjectFilter
         fields = [
-            'group',
             'description',
             'operator',
             'value',
diff --git a/castellum/studies/templates/studies/filtergroup.html b/castellum/studies/templates/studies/filtergroup.html
index ab9e2506e..96a9ef212 100644
--- a/castellum/studies/templates/studies/filtergroup.html
+++ b/castellum/studies/templates/studies/filtergroup.html
@@ -17,8 +17,6 @@
 
     {% for pk, form in templates.items %}
         <template id="template-{{ pk }}">
-            <input type="hidden" name="{{ form.prefix }}-group" value="{{ object.id }}" />
-
             <div class="col-sm-12">
                 {{ form.desc.filter_label }}
                 {{ form.description.as_hidden }}
@@ -65,7 +63,6 @@
                         <fieldset class="form-row mb-3" {% if form.DELETE.value %}hidden{% endif %}>
                             {{ form.id.as_hidden }}
                             {{ form.DELETE.as_hidden }}
-                            <input type="hidden" name="{{ form.prefix }}-group" value="{{ object.id }}" />
 
                             <div class="col-sm-12">
                                 {{ form.desc.filter_label }}
diff --git a/castellum/studies/views/subjectfilters.py b/castellum/studies/views/subjectfilters.py
index 570f4c4e3..6de9c9d74 100644
--- a/castellum/studies/views/subjectfilters.py
+++ b/castellum/studies/views/subjectfilters.py
@@ -152,6 +152,8 @@ class FilterGroupUpdateView(FilterMixin, UpdateView):
 
     def form_valid(self, form, formset):
         messages.success(self.request, _('Filter update successfull!'))
+        for f in formset.extra_forms:
+            f.instance.group = self.object
         formset.save()
         return super().form_valid(form)
 
-- 
GitLab