Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
allgo
allgo
Commits
a803d6eb
Commit
a803d6eb
authored
Mar 18, 2020
by
BAIRE Anthony
Browse files
return 404 instead of 403 when access to a job is denied
(to avoid any info leak)
parent
19716de7
Changes
1
Hide whitespace changes
Inline
Side-by-side
django/allgo/main/mixins.py
View file @
a803d6eb
...
...
@@ -95,16 +95,13 @@ class JobAuthMixin(AllgoValidAccountMixin, UserPassesTestMixin):
"""
user
=
get_request_user
(
self
.
request
)
if
user
is
None
:
return
False
self
.
raise_exception
=
True
# to return a 403
try
:
job
=
Job
.
objects
.
get
(
id
=
self
.
kwargs
[
'pk'
])
except
Job
.
DoesNotExist
:
return
False
if
job
.
state
in
(
Job
.
NEW
,
Job
.
DELETED
,
Job
.
ARCHIVED
):
raise
Http404
return
user
.
is_superuser
or
user
==
getattr
(
job
,
"user"
,
())
return
False
# must authenticate
job
=
Job
.
objects
.
only
(
"user"
).
filter
(
id
=
self
.
kwargs
[
'pk'
]).
exclude
(
state__in
=
(
Job
.
NEW
,
Job
.
DELETED
,
Job
.
ARCHIVED
)).
first
()
if
job
is
not
None
and
(
user
.
is_superuser
or
user
.
id
==
job
.
user_id
):
return
True
raise
Http404
def
handle_no_permission
(
self
):
if
not
self
.
raise_exception
and
self
.
request
.
path_info
.
startswith
(
"/api/"
):
...
...
BAIRE Anthony
@abaire
mentioned in issue
#305 (closed)
·
Apr 26, 2022
mentioned in issue
#305 (closed)
mentioned in issue #305
Toggle commit list
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment