External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-17 11:10:03 -03:30
Code Issues Packages Projects Releases Wiki Activity

Check that the object we are attaching is readable by us for extra security on attaching resources.

Browse Source
This commit is contained in:
Michael DeHaan
2013-04-19 15:25:19 -04:00
parent 0ed275c3c8
commit 86de2c8846
3 changed files with 39 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/main/base_views.py
View File

@@ -138,10 +138,15 @@ class BaseSubList(BaseList):
# no attaching to yourself
raise PermissionDenied()
if self.__class__.parent_model != User:
if not obj.__class__.can_user_read(request.user, obj):
raise PermissionDenied()
if not self.__class__.parent_model.can_user_attach(request.user, main, obj, self.__class__.relationship, request.DATA):
raise PermissionDenied()
else:
if not UserHelper.can_user_read(request.user, obj):
raise PermissionDenied()
# FIXME: should generalize this
if not UserHelper.can_user_attach(request.user, main, obj, self.__class__.relationship, request.DATA):
raise PermissionDenied()