Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix unpriviledged users being able to access bulk process#6290

Closed
f-osorio wants to merge 3 commits into
ckan:masterfrom
f-osorio:prevent-unauth-user-accessing-bulk-process
Closed

Fix unpriviledged users being able to access bulk process#6290
f-osorio wants to merge 3 commits into
ckan:masterfrom
f-osorio:prevent-unauth-user-accessing-bulk-process

Conversation

@f-osorio
Copy link
Copy Markdown

@f-osorio f-osorio commented Jul 28, 2021

Any user was able to access and view the bulk process page for organization
management. This fix checks access and returns unauthorized exception
if theuser shouldn't be there.

Fixes #

Proposed fixes:

Added check_access for group update and a catch statement for NotAuthorized

Fix unpriviledged users being able to access bulk process
e1bc4c8 
Any user was able to access and view the bulk process page for organization
management. This fix checks access and returns unauthorized exception
if theuser shouldn't be there.
@smotornyuk
Copy link
Copy Markdown
Member

smotornyuk commented Jul 29, 2021

I see that the post-handler of the same view uses the bulk_update_public auth function. Can you do the same in the get-handler? Or even extract this auth-check and put it into the _prepare method.

@smotornyuk smotornyuk self-assigned this Jul 29, 2021
Move auth check to _prepare method
9720d80 
Previously implementation only worked for GET requests, now works with
GET and POST requests
@f-osorio
Copy link
Copy Markdown
Author

f-osorio commented Jul 29, 2021

I see that the post-handler of the same view uses the bulk_update_public auth function. Can you do the same in the get-handler? Or even extract this auth-check and put it into the _prepare method.

Right, I'll get that in soon.

Use bulk_update_public to check access
52ecccc 
Was using group_update. Also removed duplicate check from POST request
@smotornyuk smotornyuk mentioned this pull request Aug 27, 2021
Merged
@smotornyuk
Copy link
Copy Markdown
Member

smotornyuk commented Aug 27, 2021

As we need it for backport, i've fixed tests in a new PR #6346

@smotornyuk smotornyuk closed this Aug 27, 2021
smotornyuk added a commit that referenced this pull request Aug 30, 2021
@smotornyuk
Merge pull request #6346 from ckan/6290-f-osorio-prevent-unauth-user-…
d8941a0 
…accessing-bulk-process

[#6290] prevent unauth user accessing bulk process [test fix]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@smotornyuk smotornyuk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@f-osorio @smotornyuk @amercader