From 0317d50497466315df1d9df8372047c36b4748e1 Mon Sep 17 00:00:00 2001
From: Bach Dániel <bd@ik.bme.hu>
Date: Fri, 4 Jul 2014 11:40:23 +0200
Subject: [PATCH] dashboard: fix permission checks in TemplateDetail
---
circle/dashboard/forms.py | 3 +++
circle/dashboard/views.py | 6 ------
2 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/circle/dashboard/forms.py b/circle/dashboard/forms.py
index d00dfff..588a55b 100644
--- a/circle/dashboard/forms.py
+++ b/circle/dashboard/forms.py
@@ -25,6 +25,7 @@ from django.contrib.auth.forms import (
)
from django.contrib.auth.models import User, Group
from django.core.validators import URLValidator
+from django.core.exceptions import PermissionDenied
from crispy_forms.helper import FormHelper
from crispy_forms.layout import (
@@ -624,6 +625,8 @@ class TemplateForm(forms.ModelForm):
networks = InterfaceTemplate.objects.filter(
template=self.instance).values_list("vlan", flat=True)
for m in data['networks']:
+ if not m.has_level(self.user, "user"):
+ raise PermissionDenied()
if m.pk not in networks:
InterfaceTemplate(vlan=m, managed=m.managed,
template=self.instance).save()
diff --git a/circle/dashboard/views.py b/circle/dashboard/views.py
index 5cc532c..1f819b2 100644
--- a/circle/dashboard/views.py
+++ b/circle/dashboard/views.py
@@ -1142,12 +1142,6 @@ class TemplateDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView):
template = self.get_object()
if not template.has_level(request.user, 'owner'):
raise PermissionDenied()
- for disk in self.get_object().disks.all():
- if not disk.has_level(request.user, 'user'):
- raise PermissionDenied()
- for network in self.get_object().interface_set.all():
- if not network.vlan.has_level(request.user, "user"):
- raise PermissionDenied()
return super(TemplateDetail, self).post(self, request, args, kwargs)
def get_form_kwargs(self):
--
libgit2 0.26.0