From 0d007af5c2ffba9fbd75570eb7a4b24f7499dff1 Mon Sep 17 00:00:00 2001 From: Morgan Aubert Date: Thu, 11 May 2017 22:56:28 -0400 Subject: [PATCH] Fixed incorrect permissions computation when using the DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS setting --- .gitignore | 1 + docs/release_notes/index.rst | 1 + docs/release_notes/v0.5.4.rst | 14 ++++++++++++++ machina/apps/forum_permission/handler.py | 3 ++- tests/unit/permission/test_handler.py | 13 +++++++++++++ 5 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 docs/release_notes/v0.5.4.rst diff --git a/.gitignore b/.gitignore index ac24434d8..a482e0cf6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.DS_Store *.pyc *.pyo *.db diff --git a/docs/release_notes/index.rst b/docs/release_notes/index.rst index 7c000639e..48ecec241 100644 --- a/docs/release_notes/index.rst +++ b/docs/release_notes/index.rst @@ -12,6 +12,7 @@ Django-machina 0.5 .. toctree:: :maxdepth: 1 + v0.5.4 v0.5.3 v0.5.2 v0.5.1 diff --git a/docs/release_notes/v0.5.4.rst b/docs/release_notes/v0.5.4.rst new file mode 100644 index 000000000..3b018ee41 --- /dev/null +++ b/docs/release_notes/v0.5.4.rst @@ -0,0 +1,14 @@ +############################################### +Django-machina 0.5.4 release notes (2017-05-11) +############################################### + +Requirements and compatibility +------------------------------ + +Python 2.7, 3.3, 3.4, 3.5 and 3.6. Django 1.8, 1.9, 1.10 and 1.11. + +Minor changes +------------- + +* Fixed a security issue that allowed authenticated users to get permissions granted for forums when + using the ``MACHINA_DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS`` setting diff --git a/machina/apps/forum_permission/handler.py b/machina/apps/forum_permission/handler.py index 7db90d6ad..95d343f02 100644 --- a/machina/apps/forum_permission/handler.py +++ b/machina/apps/forum_permission/handler.py @@ -408,7 +408,8 @@ def _get_forums_for_user(self, user, perm_codenames, use_tree_hierarchy=False): if not user.is_anonymous() and not forum_objects.exists() \ and set(perm_codenames).issubset(set( machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS)): - forum_objects = forum_queryset + forum_objects = forum_queryset.filter( + ~Q(pk__in=(user_nongranted_forum_ids + group_nongranted_forum_ids))) if use_tree_hierarchy: forum_objects = self._filter_granted_forums_using_tree(forum_objects) diff --git a/tests/unit/permission/test_handler.py b/tests/unit/permission/test_handler.py index 15c6d7032..48d0c8dfd 100644 --- a/tests/unit/permission/test_handler.py +++ b/tests/unit/permission/test_handler.py @@ -642,6 +642,19 @@ def test_filter_methods_fallback_to_default_forum_permissions_if_applicable(self == set(Forum.objects.all()) machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS = [] + def test_filter_methods_can_fallback_to_default_permissions_but_prevent_access_to_non_granted_forums(self): # noqa: E501 + # Setup + codenames = [ + 'can_vote_in_polls', + 'can_add_announcements', + ] + assign_perm('can_vote_in_polls', self.u1, forum=self.forum_2, has_perm=False) + machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS = codenames + # Run & check + assert set(self.perm_handler._get_forums_for_user(self.u1, codenames)) \ + == set(Forum.objects.exclude(pk=self.forum_2.pk)) + machina_settings.DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS = [] + def test_knows_if_a_user_can_subscribe_to_topics(self): # Setup u2 = UserFactory.create()