Commit cd79cf64 authored by delanoe's avatar delanoe

[SECURITY FIX] BUG 31

parent 2c722270
......@@ -251,7 +251,7 @@ def save( request , project_id ) :
user = cache.User[request.user.id]
if not user.owns(project):
raise HttpResponseForbidden()
return HttpResponseForbidden()
if request.method == "POST":
......
......@@ -86,15 +86,16 @@ class NewCorpusForm(forms.Form):
@requires_auth
def project(request, project_id):
# current user
user = cache.User[request.user.id]
# viewed project
# security check
project = session.query(Node).filter(Node.id == project_id).first()
user = cache.User[request.user.id]
if project is None:
raise Http404()
if not user.owns(project):
raise HttpResponseForbidden()
return HttpResponseForbidden()
# end of security check
# new corpus
if request.method == 'POST':
......
......@@ -7,7 +7,6 @@ from gargantext.settings import *
from datetime import datetime
@requires_auth
def explorer(request, project_id, corpus_id):
'''
......@@ -20,6 +19,13 @@ def explorer(request, project_id, corpus_id):
# we pass our corpus
corpus = cache.Node[corpus_id]
# security check
user = cache.User[request.user.id]
if corpus is None:
raise Http404()
if not user.owns(corpus):
return HttpResponseForbidden()
# get the maplist_id for modifications
maplist_id = corpus.children(typename="MAPLIST").first().id
......
......@@ -58,7 +58,7 @@ def save(request, project_id):
raise Http404()
user = cache.User[request.user.id]
if not user.owns(project):
raise HttpResponseForbidden()
return HttpResponseForbidden()
# corpus node instanciation as a Django model
corpus = Node(
......
......@@ -86,7 +86,7 @@ def save( request , project_id ) :
user = cache.User[request.user.id]
if not user.owns(project):
raise HttpResponseForbidden()
return HttpResponseForbidden()
if request.method == "POST":
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment