Sicherheitslücke Standards

2021-04-14 17:00:52 +02:00 · 2021-04-14 17:00:52 +02:00 · 848bd524e8
parent a2555511cd
commit 848bd524e8
2 changed files with 373 additions and 322 deletions
--- a/standards/templates/standards/standards_management.html
+++ b/standards/templates/standards/standards_management.html
@ -61,8 +61,11 @@
                    {% for s in task.standards %}
                      <!-- VISIBLE GROUPCHECK -->
                      {% setbool False %}
+                      
                      {% for ag in s.visibleby.all %}
+                      
                        {% if request.user|has_group:ag.group.name %}
+
                          {% setbool True %}
                        {% endif %}
                      {% endfor %}
--- a/standards/views.py
+++ b/standards/views.py
@ -274,6 +274,26 @@ def StandardAdd(request, id=False):
 		standard = Standards.objects.get(pk=id, agency=request.user.profile.agency)
 		# SAVE UPDATED STANDARD
 		if request.method == 'POST':
+
+			
+
+
+
+			# CHECK IF USER HAS RIGHTS TO SEE THIS DIR
+			groupsofstandard = standard
+
+			userisingroup = False
+
+			if len(groupsofstandard.visibleby.all()) == 0:
+				userisingroup = True
+			else:
+				for ag in groupsofstandard.visibleby.all():
+					
+					if ag.group in request.user.groups.all():
+						userisingroup = True
+			
+			if userisingroup:
+				
 				normalForm = StandardUpdateStandard(request.POST, instance=standard)
 				editorForm = StandardUpdateStandardEditor(request.POST, instance=standard)

@ -482,6 +502,28 @@ def StandardAdd(request, id=False):
 					return redirect('/standards')	
 		# SHOW EXISTING STANDARD
 		else:
+
+
+			# CHECK IF USER HAS RIGHTS TO SEE THIS DIR
+			groupsofstandard = standard
+
+			userisingroup = False
+
+			if len(groupsofstandard.visibleby.all()) == 0:
+				userisingroup = True
+			else:
+				for ag in groupsofstandard.visibleby.all():
+					
+					if ag.group in request.user.groups.all():
+						userisingroup = True
+			
+			if userisingroup:
+				
+
+
+
+
+
 				normalForm = StandardUpdateStandard(instance=standard)
 				editorForm = StandardUpdateStandardEditor(instance=standard)
 				# GET ALL DATAS FROM STANDARD
@ -616,6 +658,11 @@ def StandardAdd(request, id=False):
 					'aggroups' : AgencyGroup.objects.filter(agency=request.user.profile.agency)
 					}			
 				return render(request, 'standards/standards_add.html', context)
+			else:
+				context = {
+					'active_link':'standards'
+				}
+				return render(request, 'standards/standards_noentrie.html', context)


 '''
@ -713,6 +760,7 @@ def StandardSingle(request, pk):
 		userisingroup = True
 	else:
 		for ag in groupsofstandard.visibleby.all():
+			
 			if ag.group in request.user.groups.all():
 				userisingroup = True