return 404 instead of 403 when access to a job is denied

(to avoid any info leak)

return 404 instead of 403 when access to a job is denied
(to avoid any info leak)
a803d6eb · BAIRE Anthony · 19716de7 · a803d6eb
Commit a803d6eb authored Mar 18, 2020 by BAIRE Anthony
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 10 deletions

django/allgo/main/mixins.py django/allgo/main/mixins.py +7 -10

No files found.
--- a/django/allgo/main/mixins.py
+++ b/django/allgo/main/mixins.py
@@ -95,16 +95,13 @@ class JobAuthMixin(AllgoValidAccountMixin, UserPassesTestMixin):
        """
        user = get_request_user(self.request)
        if user is None:
-            return False
-        self.raise_exception = True # to return a 403
-        try:
-            job = Job.objects.get(id=self.kwargs['pk'])
-        except Job.DoesNotExist:
-            return False
-        if job.state in (Job.NEW, Job.DELETED, Job.ARCHIVED):
-            raise Http404
-
-        return user.is_superuser or user == getattr(job, "user", ())
+            return False    # must authenticate
+        job = Job.objects.only("user").filter(id=self.kwargs['pk']).exclude(
+                state__in=(Job.NEW, Job.DELETED, Job.ARCHIVED)).first()
+        if job is not None and (user.is_superuser or user.id == job.user_id):
+            return True
+
+        raise Http404

    def handle_no_permission(self):
        if not self.raise_exception and self.request.path_info.startswith("/api/"):