Commit a803d6eb authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

return 404 instead of 403 when access to a job is denied

(to avoid any info leak)
parent 19716de7
......@@ -95,16 +95,13 @@ class JobAuthMixin(AllgoValidAccountMixin, UserPassesTestMixin):
"""
user = get_request_user(self.request)
if user is None:
return False
self.raise_exception = True # to return a 403
try:
job = Job.objects.get(id=self.kwargs['pk'])
except Job.DoesNotExist:
return False
if job.state in (Job.NEW, Job.DELETED, Job.ARCHIVED):
raise Http404
return user.is_superuser or user == getattr(job, "user", ())
return False # must authenticate
job = Job.objects.only("user").filter(id=self.kwargs['pk']).exclude(
state__in=(Job.NEW, Job.DELETED, Job.ARCHIVED)).first()
if job is not None and (user.is_superuser or user.id == job.user_id):
return True
raise Http404
def handle_no_permission(self):
if not self.raise_exception and self.request.path_info.startswith("/api/"):
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment