Attention une mise à jour du serveur va être effectuée le lundi 17 mai entre 13h et 13h30. Cette mise à jour va générer une interruption du service de quelques minutes.

Commit cf44a5a0 authored by Ryan Herbert's avatar Ryan Herbert

file.py add permissions check to edit_form

when editing a file, a permissions check was missing after having
submitted the form.
Meaning if a user were to guess the correct identification string, it
was possible to upload files to a sample_set which the user did not have
access to.
parent a4e7ce8d
......@@ -346,10 +346,17 @@ def edit_form():
if request.vars['patient_id'] != '' :
patient_id = int(request.vars['patient_id'].split('(')[-1][:-1])
if not auth.can_modify_patient(patient_id):
error += "permission denied to edit patient %d" % patient_id
if request.vars['run_id'] != '' :
run_id = int(request.vars['run_id'].split('(')[-1][:-1])
if not auth.can_modify_run(run_id):
error += "permission denied to edit run %d" % run_id
if request.vars['generic_id'] != '' :
generic_id = int(request.vars['generic_id'].split('(')[-1][:-1])
generic = db.generic[generic_id]
if not auth.can_modify_sample_set(generic.sample_set_id):
error += "permission denied to edit sample_set %d" % generic_id
if request.vars['id'] == None :
error += "missing id"
if request.vars['filename'] == None :
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment