From 8c5e6302b616fbe4666598ebcdf2a7d0c007be37 Mon Sep 17 00:00:00 2001 From: Cayo Puigdefabregas Date: Sat, 20 Jan 2024 12:26:19 +0100 Subject: [PATCH] add 403 exception for bad access --- idhub/admin/views.py | 14 ++++++++++++++ idhub/mixins.py | 33 +++++++++++++++++++++++++++------ 2 files changed, 41 insertions(+), 6 deletions(-) diff --git a/idhub/admin/views.py b/idhub/admin/views.py index 878594c..45640d4 100644 --- a/idhub/admin/views.py +++ b/idhub/admin/views.py @@ -52,6 +52,7 @@ class DobleFactorAuthView(AdminView, View): url = reverse_lazy('idhub:admin_dashboard') def get(self, request, *args, **kwargs): + self.check_valid_user() if not self.request.session.get("2fauth"): return redirect(self.url) @@ -132,6 +133,7 @@ class PeopleView(People, TemplateView): class PeopleActivateView(PeopleView): def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(self.model, pk=self.pk) @@ -153,6 +155,7 @@ class PeopleActivateView(PeopleView): class PeopleDeleteView(PeopleView): def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(self.model, pk=self.pk) @@ -317,6 +320,7 @@ class PeopleMembershipDeleteView(PeopleView): model = Membership def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(self.model, pk=self.pk) @@ -404,6 +408,7 @@ class PeopleRolDeleteView(PeopleView): model = UserRol def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(self.model, pk=self.pk) user = self.object.user @@ -467,6 +472,7 @@ class RolDeleteView(AccessControl): model = Rol def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(self.model, pk=self.pk) @@ -540,6 +546,7 @@ class ServiceDeleteView(AccessControl): model = Service def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(self.model, pk=self.pk) @@ -584,6 +591,7 @@ class CredentialView(Credentials): class CredentialJsonView(Credentials): def get(self, request, *args, **kwargs): + self.check_valid_user() pk = kwargs['pk'] self.object = get_object_or_404( VerificableCredential, @@ -598,6 +606,7 @@ class RevokeCredentialsView(Credentials): success_url = reverse_lazy('idhub:admin_credentials') def get(self, request, *args, **kwargs): + self.check_valid_user() pk = kwargs['pk'] self.object = get_object_or_404( VerificableCredential, @@ -617,6 +626,7 @@ class DeleteCredentialsView(Credentials): success_url = reverse_lazy('idhub:admin_credentials') def get(self, request, *args, **kwargs): + self.check_valid_user() pk = kwargs['pk'] self.object = get_object_or_404( VerificableCredential, @@ -696,6 +706,7 @@ class DidDeleteView(Credentials, DeleteView): success_url = reverse_lazy('idhub:admin_dids') def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(self.model, pk=self.pk) Event.set_EV_ORG_DID_DELETED_BY_ADMIN(self.object) @@ -734,6 +745,7 @@ class SchemasView(SchemasMix): class SchemasDeleteView(SchemasMix): def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(Schemas, pk=self.pk) self.object.delete() @@ -744,6 +756,7 @@ class SchemasDeleteView(SchemasMix): class SchemasDownloadView(SchemasMix): def get(self, request, *args, **kwargs): + self.check_valid_user() self.pk = kwargs['pk'] self.object = get_object_or_404(Schemas, pk=self.pk) @@ -822,6 +835,7 @@ class SchemasImportView(SchemasMix): class SchemasImportAddView(SchemasMix): def get(self, request, *args, **kwargs): + self.check_valid_user() file_name = kwargs['file_schema'] schemas_files = os.listdir(settings.SCHEMAS_DIR) if not file_name in schemas_files: diff --git a/idhub/mixins.py b/idhub/mixins.py index f118b1e..8692c2d 100644 --- a/idhub/mixins.py +++ b/idhub/mixins.py @@ -3,6 +3,21 @@ from django.contrib.auth import views as auth_views from django.urls import reverse_lazy, resolve from django.utils.translation import gettext_lazy as _ from django.shortcuts import redirect +from django.http import Http404 +from django.core.exceptions import PermissionDenied + + + +class Http403(PermissionDenied): + status_code = 403 + default_detail = _('Permission denied. User is not authenticated') + default_code = 'forbidden' + + def __init__(self, detail=None, code=None): + if detail is not None: + self.detail = details or self.default_details + if code is not None: + self.code = code or self.default_code class UserView(LoginRequiredMixin): @@ -26,11 +41,17 @@ class UserView(LoginRequiredMixin): class AdminView(UserView): def get(self, request, *args, **kwargs): - if not request.user.is_admin: - url = reverse_lazy('idhub:user_dashboard') - return redirect(url) + self.check_valid_user() + return super().get(request, *args, **kwargs) + + def post(self, request, *args, **kwargs): + self.check_valid_user() + return super().post(request, *args, **kwargs) + + def check_valid_user(self): + if not self.request.user.is_admin: + raise Http403 if self.request.session.get("2fauth"): - return redirect(reverse_lazy("idhub:login")) - - return super().get(request, *args, **kwargs) + raise Http403 +