Skip to content

Commit

Permalink
Fix mp security by Aabu
Browse files Browse the repository at this point in the history
  • Loading branch information
artragis committed Oct 18, 2022
1 parent e78c57a commit 6401fa6
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
9 changes: 9 additions & 0 deletions zds/mp/tests/tests_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -625,6 +625,7 @@ class LeaveViewTest(TestCase):
def setUp(self):
self.profile1 = ProfileFactory()
self.profile2 = ProfileFactory()
self.profile3 = ProfileFactory()

self.anonymous_account = UserFactory(username=settings.ZDS_APP["member"]["anonymous_account"])
self.bot_group = Group()
Expand All @@ -650,6 +651,14 @@ def test_denies_anonymous(self):
response, reverse("member-login") + "?next=" + reverse("mp:leave", args=[1, "private-topic"])
)

def test_denies_leave_topic_as_random_member(self):
self.client.force_login(self.profile3.user)

response = self.client.post(reverse("mp:leave", args=[self.topic1.pk, self.topic1.slug()]), follow=True)

self.assertEqual(403, response.status_code)
self.assertEqual(1, PrivateTopic.objects.filter(pk=self.topic1.pk).count())

def test_fail_leave_topic_no_exist(self):

response = self.client.post(reverse("mp:leave", args=[999, "private-topic"]))
Expand Down
2 changes: 2 additions & 0 deletions zds/mp/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,8 @@ def dispatch(self, request, *args, **kwargs):

def post(self, request, *args, **kwargs):
topic = self.get_object()
if not topic.is_participant(self.get_current_user()):
raise PermissionDenied
self.perform_destroy(topic)
messages.success(request, _("Vous avez quitté la conversation avec succès."))
return redirect(reverse("mp:list"))
Expand Down

0 comments on commit 6401fa6

Please sign in to comment.