From 6401fa6734dfee4f471ef5943f71a17237ec37c0 Mon Sep 17 00:00:00 2001 From: artragis Date: Tue, 18 Oct 2022 19:38:10 +0200 Subject: [PATCH] Fix mp security by Aabu --- zds/mp/tests/tests_views.py | 9 +++++++++ zds/mp/views.py | 2 ++ 2 files changed, 11 insertions(+) diff --git a/zds/mp/tests/tests_views.py b/zds/mp/tests/tests_views.py index f1f1886d9b..f3700289ca 100644 --- a/zds/mp/tests/tests_views.py +++ b/zds/mp/tests/tests_views.py @@ -625,6 +625,7 @@ class LeaveViewTest(TestCase): def setUp(self): self.profile1 = ProfileFactory() self.profile2 = ProfileFactory() + self.profile3 = ProfileFactory() self.anonymous_account = UserFactory(username=settings.ZDS_APP["member"]["anonymous_account"]) self.bot_group = Group() @@ -650,6 +651,14 @@ def test_denies_anonymous(self): response, reverse("member-login") + "?next=" + reverse("mp:leave", args=[1, "private-topic"]) ) + def test_denies_leave_topic_as_random_member(self): + self.client.force_login(self.profile3.user) + + response = self.client.post(reverse("mp:leave", args=[self.topic1.pk, self.topic1.slug()]), follow=True) + + self.assertEqual(403, response.status_code) + self.assertEqual(1, PrivateTopic.objects.filter(pk=self.topic1.pk).count()) + def test_fail_leave_topic_no_exist(self): response = self.client.post(reverse("mp:leave", args=[999, "private-topic"])) diff --git a/zds/mp/views.py b/zds/mp/views.py index 0d9c84b3f4..162e8d0ec1 100644 --- a/zds/mp/views.py +++ b/zds/mp/views.py @@ -156,6 +156,8 @@ def dispatch(self, request, *args, **kwargs): def post(self, request, *args, **kwargs): topic = self.get_object() + if not topic.is_participant(self.get_current_user()): + raise PermissionDenied self.perform_destroy(topic) messages.success(request, _("Vous avez quitté la conversation avec succès.")) return redirect(reverse("mp:list"))