[SECURITY FIX] BUG 31

cd79cf64 · delanoe · 2c722270 · cd79cf64 · cd79cf64 · cd79cf64
Commit cd79cf64 authored Oct 05, 2016 by delanoe
Showing with 15 additions and 8 deletions

PUBMED.py gargantext/util/crawlers/PUBMED.py +1 -1

projects.py gargantext/views/pages/projects.py +5 -4

views.py graph/views.py +7 -1

cern.py moissonneurs/cern.py +1 -1

pubmed.py moissonneurs/pubmed.py +1 -1

No files found.
--- a/gargantext/util/crawlers/PUBMED.py
+++ b/gargantext/util/crawlers/PUBMED.py
@@ -251,7 +251,7 @@ def save( request , project_id ) :

    user = cache.User[request.user.id]
    if not user.owns(project):
-        raise HttpResponseForbidden()
+        return HttpResponseForbidden()


    if request.method == "POST":

--- a/gargantext/views/pages/projects.py
+++ b/gargantext/views/pages/projects.py
@@ -86,15 +86,16 @@ class NewCorpusForm(forms.Form):

 @requires_auth
 def project(request, project_id):
-    # current user
-    user = cache.User[request.user.id]

-    # viewed project
+    # security check
    project = session.query(Node).filter(Node.id == project_id).first()
+    user = cache.User[request.user.id]
+    
    if project is None:
        raise Http404()
    if not user.owns(project):
-        raise HttpResponseForbidden()
+        return HttpResponseForbidden()
+    # end of security check

    # new corpus
    if request.method == 'POST':

--- a/graph/views.py
+++ b/graph/views.py
@@ -7,7 +7,6 @@ from gargantext.settings import *

 from datetime import datetime

-
 @requires_auth
 def explorer(request, project_id, corpus_id):
    '''
@@ -21,6 +20,13 @@ def explorer(request, project_id, corpus_id):
    # we pass our corpus
    corpus = cache.Node[corpus_id]
    
+    # security check
+    user = cache.User[request.user.id]
+    if corpus is None:
+        raise Http404()
+    if not user.owns(corpus):
+        return HttpResponseForbidden()
+
    # get the maplist_id for modifications
    maplist_id = corpus.children(typename="MAPLIST").first().id


--- a/moissonneurs/cern.py
+++ b/moissonneurs/cern.py
@@ -58,7 +58,7 @@ def save(request, project_id):
            raise Http404()
        user = cache.User[request.user.id]
        if not user.owns(project):
-            raise HttpResponseForbidden()
+            return HttpResponseForbidden()
        # corpus node instanciation as a Django model

        corpus = Node(

--- a/moissonneurs/pubmed.py
+++ b/moissonneurs/pubmed.py
@@ -86,7 +86,7 @@ def save( request , project_id ) :

    user = cache.User[request.user.id]
    if not user.owns(project):
-        raise HttpResponseForbidden()
+        return HttpResponseForbidden()


    if request.method == "POST":