add 403 exception for bad access
This commit is contained in:
parent
e87db60b7e
commit
8c5e6302b6
|
@ -52,6 +52,7 @@ class DobleFactorAuthView(AdminView, View):
|
||||||
url = reverse_lazy('idhub:admin_dashboard')
|
url = reverse_lazy('idhub:admin_dashboard')
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
if not self.request.session.get("2fauth"):
|
if not self.request.session.get("2fauth"):
|
||||||
return redirect(self.url)
|
return redirect(self.url)
|
||||||
|
|
||||||
|
@ -132,6 +133,7 @@ class PeopleView(People, TemplateView):
|
||||||
class PeopleActivateView(PeopleView):
|
class PeopleActivateView(PeopleView):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||||
|
|
||||||
|
@ -153,6 +155,7 @@ class PeopleActivateView(PeopleView):
|
||||||
class PeopleDeleteView(PeopleView):
|
class PeopleDeleteView(PeopleView):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||||
|
|
||||||
|
@ -317,6 +320,7 @@ class PeopleMembershipDeleteView(PeopleView):
|
||||||
model = Membership
|
model = Membership
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||||
|
|
||||||
|
@ -404,6 +408,7 @@ class PeopleRolDeleteView(PeopleView):
|
||||||
model = UserRol
|
model = UserRol
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||||
user = self.object.user
|
user = self.object.user
|
||||||
|
@ -467,6 +472,7 @@ class RolDeleteView(AccessControl):
|
||||||
model = Rol
|
model = Rol
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||||
|
|
||||||
|
@ -540,6 +546,7 @@ class ServiceDeleteView(AccessControl):
|
||||||
model = Service
|
model = Service
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||||
|
|
||||||
|
@ -584,6 +591,7 @@ class CredentialView(Credentials):
|
||||||
class CredentialJsonView(Credentials):
|
class CredentialJsonView(Credentials):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
pk = kwargs['pk']
|
pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(
|
self.object = get_object_or_404(
|
||||||
VerificableCredential,
|
VerificableCredential,
|
||||||
|
@ -598,6 +606,7 @@ class RevokeCredentialsView(Credentials):
|
||||||
success_url = reverse_lazy('idhub:admin_credentials')
|
success_url = reverse_lazy('idhub:admin_credentials')
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
pk = kwargs['pk']
|
pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(
|
self.object = get_object_or_404(
|
||||||
VerificableCredential,
|
VerificableCredential,
|
||||||
|
@ -617,6 +626,7 @@ class DeleteCredentialsView(Credentials):
|
||||||
success_url = reverse_lazy('idhub:admin_credentials')
|
success_url = reverse_lazy('idhub:admin_credentials')
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
pk = kwargs['pk']
|
pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(
|
self.object = get_object_or_404(
|
||||||
VerificableCredential,
|
VerificableCredential,
|
||||||
|
@ -696,6 +706,7 @@ class DidDeleteView(Credentials, DeleteView):
|
||||||
success_url = reverse_lazy('idhub:admin_dids')
|
success_url = reverse_lazy('idhub:admin_dids')
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||||
Event.set_EV_ORG_DID_DELETED_BY_ADMIN(self.object)
|
Event.set_EV_ORG_DID_DELETED_BY_ADMIN(self.object)
|
||||||
|
@ -734,6 +745,7 @@ class SchemasView(SchemasMix):
|
||||||
class SchemasDeleteView(SchemasMix):
|
class SchemasDeleteView(SchemasMix):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(Schemas, pk=self.pk)
|
self.object = get_object_or_404(Schemas, pk=self.pk)
|
||||||
self.object.delete()
|
self.object.delete()
|
||||||
|
@ -744,6 +756,7 @@ class SchemasDeleteView(SchemasMix):
|
||||||
class SchemasDownloadView(SchemasMix):
|
class SchemasDownloadView(SchemasMix):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
self.pk = kwargs['pk']
|
self.pk = kwargs['pk']
|
||||||
self.object = get_object_or_404(Schemas, pk=self.pk)
|
self.object = get_object_or_404(Schemas, pk=self.pk)
|
||||||
|
|
||||||
|
@ -822,6 +835,7 @@ class SchemasImportView(SchemasMix):
|
||||||
class SchemasImportAddView(SchemasMix):
|
class SchemasImportAddView(SchemasMix):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
file_name = kwargs['file_schema']
|
file_name = kwargs['file_schema']
|
||||||
schemas_files = os.listdir(settings.SCHEMAS_DIR)
|
schemas_files = os.listdir(settings.SCHEMAS_DIR)
|
||||||
if not file_name in schemas_files:
|
if not file_name in schemas_files:
|
||||||
|
|
|
@ -3,6 +3,21 @@ from django.contrib.auth import views as auth_views
|
||||||
from django.urls import reverse_lazy, resolve
|
from django.urls import reverse_lazy, resolve
|
||||||
from django.utils.translation import gettext_lazy as _
|
from django.utils.translation import gettext_lazy as _
|
||||||
from django.shortcuts import redirect
|
from django.shortcuts import redirect
|
||||||
|
from django.http import Http404
|
||||||
|
from django.core.exceptions import PermissionDenied
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
class Http403(PermissionDenied):
|
||||||
|
status_code = 403
|
||||||
|
default_detail = _('Permission denied. User is not authenticated')
|
||||||
|
default_code = 'forbidden'
|
||||||
|
|
||||||
|
def __init__(self, detail=None, code=None):
|
||||||
|
if detail is not None:
|
||||||
|
self.detail = details or self.default_details
|
||||||
|
if code is not None:
|
||||||
|
self.code = code or self.default_code
|
||||||
|
|
||||||
|
|
||||||
class UserView(LoginRequiredMixin):
|
class UserView(LoginRequiredMixin):
|
||||||
|
@ -26,11 +41,17 @@ class UserView(LoginRequiredMixin):
|
||||||
class AdminView(UserView):
|
class AdminView(UserView):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
if not request.user.is_admin:
|
self.check_valid_user()
|
||||||
url = reverse_lazy('idhub:user_dashboard')
|
return super().get(request, *args, **kwargs)
|
||||||
return redirect(url)
|
|
||||||
|
def post(self, request, *args, **kwargs):
|
||||||
|
self.check_valid_user()
|
||||||
|
return super().post(request, *args, **kwargs)
|
||||||
|
|
||||||
|
def check_valid_user(self):
|
||||||
|
if not self.request.user.is_admin:
|
||||||
|
raise Http403
|
||||||
|
|
||||||
if self.request.session.get("2fauth"):
|
if self.request.session.get("2fauth"):
|
||||||
return redirect(reverse_lazy("idhub:login"))
|
raise Http403
|
||||||
|
|
||||||
return super().get(request, *args, **kwargs)
|
|
||||||
|
|
Loading…
Reference in a new issue