Improved permissions, 404 and 403 errors will be more frequent (when we type an invalid URL)

2025-06-21 09:58:23 +02:00 · 2020-03-31 04:16:30 +02:00
parent c384ee02eb
commit 1aae18e6a6
13 changed files with 272 additions and 105 deletions
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@ -5,7 +5,7 @@ from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.models import User, AnonymousUser
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import Q, F
-from note.models import Note, NoteUser, NoteClub, NoteSpecial
+from note.models import Note, NoteUser, NoteClub, NoteSpecial, NoteActivity
 from note_kfet.middlewares import get_current_session
 from member.models import Membership, Club

@ -35,7 +35,7 @@ class PermissionBackend(ModelBackend):
            model__app_label=model.app_label,  # For polymorphic models, we don't filter on model type
            type=type,
        ).all():
-            if not isinstance(model, permission.model.__class__):
+            if not isinstance(model, permission.model.__class__) or not permission.club:
                continue

            club = Club.objects.get(pk=permission.club)
@ -49,6 +49,7 @@ class PermissionBackend(ModelBackend):
                NoteUser=NoteUser,
                NoteClub=NoteClub,
                NoteSpecial=NoteSpecial,
+                NoteActivity=NoteActivity,
                F=F,
                Q=Q
            )
--- a/apps/permission/fixtures/initial.json
+++ b/apps/permission/fixtures/initial.json
@ -176,7 +176,7 @@
        "note",
        "alias"
      ],
-      "query": "[\"OR\", {\"note__in\": [\"NoteUser\", \"objects\", [\"filter\", {\"user__membership__club__name\": \"Kfet\"}], [\"all\"]]}, {\"note__in\": [\"NoteClub\", \"objects\", [\"all\"]]}]",
+      "query": "[\"OR\", {\"note__in\": [\"NoteUser\", \"objects\", [\"filter\", {\"user__membership__club__name\": \"Kfet\"}], [\"all\"]]}, {\"note__in\": [\"NoteClub\", \"objects\", [\"all\"]]}, {\"note__in\": [\"NoteActivity\", \"objects\", [\"all\"]]}]",
      "type": "view",
      "mask": 1,
      "field": "",
@ -386,7 +386,7 @@
        "note",
        "transaction"
      ],
-      "query": "[\"AND\", [\"OR\", {\"source\": [\"club\", \"note\"]}, {\"destination\": [\"club\", \"note\"]}], {\"amount__lte\": {\"F\": [\"ADD\", [\"F\", \"source__balance\"], 5000]}}]",
+      "query": "[\"AND\", [\"OR\", {\"source\": [\"club\", \"note\"]}, {\"destination\": [\"club\", \"note\"]}], [\"OR\", {\"amount__lte\": {\"F\": [\"ADD\", [\"F\", \"source__balance\"], 5000]}}, {\"valid\": false}]]",
      "type": "add",
      "mask": 2,
      "field": "",
@ -783,6 +783,111 @@
      "description": "Validate invitation transactions"
    }
  },
+  {
+    "model": "permission.permission",
+    "pk": 47,
+    "fields": {
+      "model": [
+        "member",
+        "club"
+      ],
+      "query": "{\"pk\": [\"club\", \"pk\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "",
+      "description": "Update club"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 48,
+    "fields": {
+      "model": [
+        "note",
+        "noteactivity"
+      ],
+      "query": "{\"club\": [\"club\"]}",
+      "type": "change",
+      "mask": 1,
+      "field": "",
+      "description": "Manage notes that are linked to a club"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 49,
+    "fields": {
+      "model": [
+        "note",
+        "noteactivity"
+      ],
+      "query": "{\"club\": [\"club\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View notes that are linked to a club"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 50,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "[\"AND\", [\"OR\", {\"source__noteactivity__controller\": [\"user\"]}, {\"destination__noteactivity__controller\": [\"user\"]}], [\"OR\", {\"amount__lte\": {\"F\": [\"ADD\", [\"F\", \"source__balance\"], 5000]}}, {\"valid\": false}]]",
+      "type": "add",
+      "mask": 2,
+      "field": "",
+      "description": "Add transactions linked to a noteactivity"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 51,
+    "fields": {
+      "model": [
+        "note",
+        "transaction"
+      ],
+      "query": "[\"AND\", [\"OR\", {\"source__noteactivity__controller\": [\"user\"]}, {\"destination__noteactivity__controller\": [\"user\"]}]]",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View transactions linked to a noteactivity"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 52,
+    "fields": {
+      "model": [
+        "note",
+        "note"
+      ],
+      "query": "{\"noteactivity__controller\": [\"user\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View note activity"
+    }
+  },
+  {
+    "model": "permission.permission",
+    "pk": 53,
+    "fields": {
+      "model": [
+        "note",
+        "noteactivity"
+      ],
+      "query": "{\"controller\": [\"user\"]}",
+      "type": "view",
+      "mask": 1,
+      "field": "",
+      "description": "View note activity"
+    }
+  },
  {
    "model": "permission.rolepermissions",
    "pk": 1,
@ -810,7 +915,6 @@
        3,
        4,
        5,
-        6,
        7,
        8,
        9,
@ -827,7 +931,12 @@
        35,
        36,
        39,
-        40
+        40,
+        6,
+        52,
+        53,
+        51,
+        50
      ]
    }
  },
@ -838,9 +947,9 @@
      "role": 8,
      "permissions": [
        19,
-        20,
        21,
-        22
+        22,
+        20
      ]
    }
  },
@ -880,5 +989,18 @@
        46
      ]
    }
+  },
+  {
+    "model": "permission.rolepermissions",
+    "pk": 6,
+    "fields": {
+      "role": 7,
+      "permissions": [
+        22,
+        47,
+        48,
+        49
+      ]
+    }
  }
 ]
--- a/apps/permission/models.py
+++ b/apps/permission/models.py
@ -38,20 +38,29 @@ class InstancedPermission:
            if permission_type == self.type:
                self.update_query()

-                # Don't increase indexes
-                obj.pk = 0
+                # Don't increase indexes, if the primary key is an AutoField
+                if not hasattr(obj, "pk") or not obj.pk:
+                    obj.pk = 0
+                    oldpk = None
+                else:
+                    oldpk = obj.pk
+                # Ensure previous models are deleted
+                self.model.model_class().objects.filter(pk=obj.pk).delete()
                # Force insertion, no data verification, no trigger
                Model.save(obj, force_insert=True)
-                ret = obj in self.model.model_class().objects.filter(self.query).all()
+                ret = self.model.model_class().objects.filter(self.query & Q(pk=obj.pk)).exists()
                # Delete testing object
                Model.delete(obj)
+
+                # If the primary key was specified, we restore it
+                obj.pk = oldpk
                return ret

        if permission_type == self.type:
            if self.field and field_name != self.field:
                return False
            self.update_query()
-            return obj in self.model.model_class().objects.filter(self.query).all()
+            return self.model.model_class().objects.filter(self.query & Q(pk=obj.pk)).exists()
        else:
            return False

--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@ -0,0 +1,11 @@
+# Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from permission.backends import PermissionBackend
+
+
+class ProtectQuerysetMixin:
+    def get_queryset(self, **kwargs):
+        qs = super().get_queryset(**kwargs)
+
+        return qs.filter(PermissionBackend.filter_queryset(self.request.user, qs.model, "view"))