Add backdoor to login as other users (in debug mode only)

2025-06-21 01:48:21 +02:00 · 2020-07-30 12:50:48 +02:00
parent b49db39080
commit fb775de923
6 changed files with 53 additions and 7 deletions
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@ -1,7 +1,6 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

-from django.conf import settings
 from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth.models import User, AnonymousUser
 from django.contrib.contenttypes.models import ContentType
@ -137,7 +136,7 @@ class PermissionBackend(ModelBackend):
        if sess is not None and sess.session_key is None:
            return False

-        if user_obj.is_superuser and get_current_session().get("permission_mask", -1) >= 42:
+        if user_obj.is_superuser and sess.get("permission_mask", -1) >= 42:
            return True

        if obj is None:
--- a/apps/permission/decorators.py
+++ b/apps/permission/decorators.py
@ -4,6 +4,7 @@
 from functools import lru_cache
 from time import time

+from django.conf import settings
 from django.contrib.sessions.models import Session
 from note_kfet.middlewares import get_current_session

@ -32,6 +33,10 @@ def memoize(f):
        sess_funs = new_sess_funs

    def func(*args, **kwargs):
+        if settings.DEBUG:
+            # Don't memoize in DEBUG mode
+            return f(*args, **kwargs)
+
        nonlocal last_collect

        if time() - last_collect > 60:
--- a/apps/permission/signals.py
+++ b/apps/permission/signals.py
@ -1,6 +1,6 @@
 # Copyright (C) 2018-2020 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
+from django.contrib.auth.models import User
 from django.core.exceptions import PermissionDenied
 from django.utils.translation import gettext_lazy as _
 from note_kfet.middlewares import get_current_authenticated_user
@ -50,6 +50,10 @@ def pre_save_object(sender, instance, **kwargs):

        # In the other case, we check if he/she has the right to change one field
        previous = qs.get()
+
+        if isinstance(instance, User) and instance.last_login != previous.last_login:
+            pass #return
+
        for field in instance._meta.fields:
            field_name = field.name
            old_value = getattr(previous, field.name)