add 403 exception for bad access

idhub/admin/views.py

@@ -52,6 +52,7 @@ class DobleFactorAuthView(AdminView, View):
     url = reverse_lazy('idhub:admin_dashboard')
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         if not self.request.session.get("2fauth"):
             return redirect(self.url)
             
@@ -132,6 +133,7 @@ class PeopleView(People, TemplateView):
 class PeopleActivateView(PeopleView):
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(self.model, pk=self.pk)
 
@@ -153,6 +155,7 @@ class PeopleActivateView(PeopleView):
 class PeopleDeleteView(PeopleView):
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(self.model, pk=self.pk)
 
@@ -317,6 +320,7 @@ class PeopleMembershipDeleteView(PeopleView):
     model = Membership
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(self.model, pk=self.pk)
 
@@ -404,6 +408,7 @@ class PeopleRolDeleteView(PeopleView):
     model = UserRol
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(self.model, pk=self.pk)
         user = self.object.user
@@ -467,6 +472,7 @@ class RolDeleteView(AccessControl):
     model = Rol
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(self.model, pk=self.pk)
 
@@ -540,6 +546,7 @@ class ServiceDeleteView(AccessControl):
     model = Service
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(self.model, pk=self.pk)
 
@@ -584,6 +591,7 @@ class CredentialView(Credentials):
 class CredentialJsonView(Credentials):
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         pk = kwargs['pk']
         self.object = get_object_or_404(
             VerificableCredential,
@@ -598,6 +606,7 @@ class RevokeCredentialsView(Credentials):
     success_url = reverse_lazy('idhub:admin_credentials')
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         pk = kwargs['pk']
         self.object = get_object_or_404(
             VerificableCredential,
@@ -617,6 +626,7 @@ class DeleteCredentialsView(Credentials):
     success_url = reverse_lazy('idhub:admin_credentials')
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         pk = kwargs['pk']
         self.object = get_object_or_404(
             VerificableCredential,
@@ -696,6 +706,7 @@ class DidDeleteView(Credentials, DeleteView):
     success_url = reverse_lazy('idhub:admin_dids')
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(self.model, pk=self.pk)
         Event.set_EV_ORG_DID_DELETED_BY_ADMIN(self.object)
@@ -734,6 +745,7 @@ class SchemasView(SchemasMix):
 class SchemasDeleteView(SchemasMix):
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(Schemas, pk=self.pk)
         self.object.delete()
@@ -744,6 +756,7 @@ class SchemasDeleteView(SchemasMix):
 class SchemasDownloadView(SchemasMix):
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         self.pk = kwargs['pk']
         self.object = get_object_or_404(Schemas, pk=self.pk)
 
@@ -822,6 +835,7 @@ class SchemasImportView(SchemasMix):
 class SchemasImportAddView(SchemasMix):
 
     def get(self, request, *args, **kwargs):
+        self.check_valid_user()
         file_name = kwargs['file_schema']
         schemas_files = os.listdir(settings.SCHEMAS_DIR)
         if not file_name in schemas_files:

idhub/mixins.py

@@ -3,6 +3,21 @@ from django.contrib.auth import views as auth_views
 from django.urls import reverse_lazy, resolve
 from django.utils.translation import gettext_lazy as _
 from django.shortcuts import redirect
+from django.http import Http404
+from django.core.exceptions import PermissionDenied
+
+
+
+class Http403(PermissionDenied):
+    status_code = 403
+    default_detail = _('Permission denied. User is not authenticated')
+    default_code = 'forbidden'
+
+    def __init__(self, detail=None, code=None):
+        if detail is not None:
+            self.detail = details or self.default_details
+        if code is not None:
+            self.code = code or self.default_code
 
 
 class UserView(LoginRequiredMixin):
@@ -26,11 +41,17 @@ class UserView(LoginRequiredMixin):
 class AdminView(UserView):
 
     def get(self, request, *args, **kwargs):
-        if not request.user.is_admin:
-            url = reverse_lazy('idhub:user_dashboard')
-            return redirect(url)
+        self.check_valid_user()
+        return super().get(request, *args, **kwargs)
+
+    def post(self, request, *args, **kwargs):
+        self.check_valid_user()
+        return super().post(request, *args, **kwargs)
+
+    def check_valid_user(self):
+        if not self.request.user.is_admin:
+            raise Http403
 
         if self.request.session.get("2fauth"):
-            return redirect(reverse_lazy("idhub:login"))
+            raise Http403
         
-        return super().get(request, *args, **kwargs)