Fixed incorrect permissions computation when using the DEFAULT_AUTHEN…

…TICATED_USER_FORUM_PERMISSIONS setting
ellmetha · May 12, 2017 · 0d007af · 0d007af
1 parent 50b590b
commit 0d007af
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+.DS_Store
 *.pyc
 *.pyo
 *.db

diff --git a/docs/release_notes/index.rst b/docs/release_notes/index.rst
@@ -12,6 +12,7 @@ Django-machina 0.5
 .. toctree::
     :maxdepth: 1
 
+    v0.5.4
     v0.5.3
     v0.5.2
     v0.5.1

diff --git a/docs/release_notes/v0.5.4.rst b/docs/release_notes/v0.5.4.rst
@@ -0,0 +1,14 @@
+###############################################
+Django-machina 0.5.4 release notes (2017-05-11)
+###############################################
+
+Requirements and compatibility
+------------------------------
+
+Python 2.7, 3.3, 3.4, 3.5 and 3.6. Django 1.8, 1.9, 1.10 and 1.11.
+
+Minor changes
+-------------
+
+* Fixed a security issue that allowed authenticated users to get permissions granted for forums when
+  using the ``MACHINA_DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS`` setting
diff --git a/machina/apps/forum_permission/handler.py b/machina/apps/forum_permission/handler.py
@@ -408,7 +408,8 @@ def _get_forums_for_user(self, user, perm_codenames, use_tree_hierarchy=False):
             if not user.is_anonymous() and not forum_objects.exists() \
                     and set(perm_codenames).issubset(set(
                         machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS)):
-                forum_objects = forum_queryset
+                forum_objects = forum_queryset.filter(
+                    ~Q(pk__in=(user_nongranted_forum_ids + group_nongranted_forum_ids)))
 
             if use_tree_hierarchy:
                 forum_objects = self._filter_granted_forums_using_tree(forum_objects)

diff --git a/tests/unit/permission/test_handler.py b/tests/unit/permission/test_handler.py
@@ -642,6 +642,19 @@ def test_filter_methods_fallback_to_default_forum_permissions_if_applicable(self
             == set(Forum.objects.all())
         machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS = []
 
+    def test_filter_methods_can_fallback_to_default_permissions_but_prevent_access_to_non_granted_forums(self):  # noqa: E501
+        # Setup
+        codenames = [
+            'can_vote_in_polls',
+            'can_add_announcements',
+        ]
+        assign_perm('can_vote_in_polls', self.u1, forum=self.forum_2, has_perm=False)
+        machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS = codenames
+        # Run & check
+        assert set(self.perm_handler._get_forums_for_user(self.u1, codenames)) \
+            == set(Forum.objects.exclude(pk=self.forum_2.pk))
+        machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS = []
+
     def test_knows_if_a_user_can_subscribe_to_topics(self):
         # Setup
         u2 = UserFactory.create()