add 403 exception for bad access

This commit is contained in:
Cayo Puigdefabregas 2024-01-20 12:26:19 +01:00
parent e87db60b7e
commit 8c5e6302b6
2 changed files with 41 additions and 6 deletions

View File

@ -52,6 +52,7 @@ class DobleFactorAuthView(AdminView, View):
url = reverse_lazy('idhub:admin_dashboard')
def get(self, request, *args, **kwargs):
self.check_valid_user()
if not self.request.session.get("2fauth"):
return redirect(self.url)
@ -132,6 +133,7 @@ class PeopleView(People, TemplateView):
class PeopleActivateView(PeopleView):
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(self.model, pk=self.pk)
@ -153,6 +155,7 @@ class PeopleActivateView(PeopleView):
class PeopleDeleteView(PeopleView):
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(self.model, pk=self.pk)
@ -317,6 +320,7 @@ class PeopleMembershipDeleteView(PeopleView):
model = Membership
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(self.model, pk=self.pk)
@ -404,6 +408,7 @@ class PeopleRolDeleteView(PeopleView):
model = UserRol
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(self.model, pk=self.pk)
user = self.object.user
@ -467,6 +472,7 @@ class RolDeleteView(AccessControl):
model = Rol
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(self.model, pk=self.pk)
@ -540,6 +546,7 @@ class ServiceDeleteView(AccessControl):
model = Service
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(self.model, pk=self.pk)
@ -584,6 +591,7 @@ class CredentialView(Credentials):
class CredentialJsonView(Credentials):
def get(self, request, *args, **kwargs):
self.check_valid_user()
pk = kwargs['pk']
self.object = get_object_or_404(
VerificableCredential,
@ -598,6 +606,7 @@ class RevokeCredentialsView(Credentials):
success_url = reverse_lazy('idhub:admin_credentials')
def get(self, request, *args, **kwargs):
self.check_valid_user()
pk = kwargs['pk']
self.object = get_object_or_404(
VerificableCredential,
@ -617,6 +626,7 @@ class DeleteCredentialsView(Credentials):
success_url = reverse_lazy('idhub:admin_credentials')
def get(self, request, *args, **kwargs):
self.check_valid_user()
pk = kwargs['pk']
self.object = get_object_or_404(
VerificableCredential,
@ -696,6 +706,7 @@ class DidDeleteView(Credentials, DeleteView):
success_url = reverse_lazy('idhub:admin_dids')
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(self.model, pk=self.pk)
Event.set_EV_ORG_DID_DELETED_BY_ADMIN(self.object)
@ -734,6 +745,7 @@ class SchemasView(SchemasMix):
class SchemasDeleteView(SchemasMix):
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(Schemas, pk=self.pk)
self.object.delete()
@ -744,6 +756,7 @@ class SchemasDeleteView(SchemasMix):
class SchemasDownloadView(SchemasMix):
def get(self, request, *args, **kwargs):
self.check_valid_user()
self.pk = kwargs['pk']
self.object = get_object_or_404(Schemas, pk=self.pk)
@ -822,6 +835,7 @@ class SchemasImportView(SchemasMix):
class SchemasImportAddView(SchemasMix):
def get(self, request, *args, **kwargs):
self.check_valid_user()
file_name = kwargs['file_schema']
schemas_files = os.listdir(settings.SCHEMAS_DIR)
if not file_name in schemas_files:

View File

@ -3,6 +3,21 @@ from django.contrib.auth import views as auth_views
from django.urls import reverse_lazy, resolve
from django.utils.translation import gettext_lazy as _
from django.shortcuts import redirect
from django.http import Http404
from django.core.exceptions import PermissionDenied
class Http403(PermissionDenied):
status_code = 403
default_detail = _('Permission denied. User is not authenticated')
default_code = 'forbidden'
def __init__(self, detail=None, code=None):
if detail is not None:
self.detail = details or self.default_details
if code is not None:
self.code = code or self.default_code
class UserView(LoginRequiredMixin):
@ -26,11 +41,17 @@ class UserView(LoginRequiredMixin):
class AdminView(UserView):
def get(self, request, *args, **kwargs):
if not request.user.is_admin:
url = reverse_lazy('idhub:user_dashboard')
return redirect(url)
self.check_valid_user()
return super().get(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
self.check_valid_user()
return super().post(request, *args, **kwargs)
def check_valid_user(self):
if not self.request.user.is_admin:
raise Http403
if self.request.session.get("2fauth"):
return redirect(reverse_lazy("idhub:login"))
raise Http403
return super().get(request, *args, **kwargs)