delete view is not protected to wrong kind of users

Felipe Henrique de Almeida Bormann
1 parent 91238933
Showing 1 changed file with 17 additions and 1 deletions Show diff stats
categories/views.py
@@ -3,7 +3,7 @@ from django.views.generic import ListView, CreateView, DeleteView, UpdateView
 from .models import Category
 from django.core.urlresolvers import reverse_lazy
 from rolepermissions.verifications import has_role
-
+from django.db.models import Q
 from django.contrib import messages
 from django.http import HttpResponse, JsonResponse
 from django.utils.translation import ugettext_lazy as _
@@ -142,6 +142,22 @@ class DeleteCategory(LoginRequiredMixin, LogMixin, DeleteView):
     model = Category
     template_name = 'categories/delete.html'
  
+    def dispatch(self, request, *args, **kwargs):
+        pk = request.user.pk
+
+        if not request.user.is_staff:
+            category = Category.objects.filter(Q(coordinators__pk = pk) & Q(slug = kwargs['slug']))
+            if category.count() == 0:
+                if request.META.get('HTTP_REFERER'):
+                    return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
+                else:
+                    return redirect('subjects:index')
+        if request.method.lower() in self.http_method_names:
+            handler = getattr(self, request.method.lower(), self.http_method_not_allowed)
+        else:
+            handler = self.http_method_not_allowed
+        return handler(request, *args, **kwargs)
+
     def delete(self, request, *args, **kwargs):
         category = get_object_or_404(Category, slug = self.kwargs.get('slug'))
         subjects = Subject.objects.filter(category = category)
...	...	@@ -3,7 +3,7 @@ from django.views.generic import ListView, CreateView, DeleteView, UpdateView
3	3	from .models import Category
4	4	from django.core.urlresolvers import reverse_lazy
5	5	from rolepermissions.verifications import has_role
6		-
	6	+from django.db.models import Q
7	7	from django.contrib import messages
8	8	from django.http import HttpResponse, JsonResponse
9	9	from django.utils.translation import ugettext_lazy as _
...	...	@@ -142,6 +142,22 @@ class DeleteCategory(LoginRequiredMixin, LogMixin, DeleteView):
142	142	model = Category
143	143	template_name = 'categories/delete.html'
144	144
	145	+ def dispatch(self, request, args, *kwargs):
	146	+ pk = request.user.pk
	147	+
	148	+ if not request.user.is_staff:
	149	+ category = Category.objects.filter(Q(coordinators__pk = pk) & Q(slug = kwargs['slug']))
	150	+ if category.count() == 0:
	151	+ if request.META.get('HTTP_REFERER'):
	152	+ return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
	153	+ else:
	154	+ return redirect('subjects:index')
	155	+ if request.method.lower() in self.http_method_names:
	156	+ handler = getattr(self, request.method.lower(), self.http_method_not_allowed)
	157	+ else:
	158	+ handler = self.http_method_not_allowed
	159	+ return handler(request, args, *kwargs)
	160	+
145	161	def delete(self, request, args, *kwargs):
146	162	category = get_object_or_404(Category, slug = self.kwargs.get('slug'))
147	163	subjects = Subject.objects.filter(category = category)
...	...