manager: ignore select2 request if no user is logged (#45310)
This commit is contained in:
parent
757b823236
commit
43d20aafa1
|
@ -678,6 +678,8 @@ class Select2View(AutoResponseView):
|
|||
'''Overrided default django-select2 view to enforce security checks on Select2 AJAX requests.'''
|
||||
|
||||
def get_widget_or_404(self):
|
||||
if not self.request.user.is_authenticated or not hasattr(self.request.user, 'filter_by_perm'):
|
||||
raise Http404('Invalid user')
|
||||
field_data = self.kwargs.get('field_id', self.request.GET.get('field_id', None))
|
||||
try:
|
||||
field_data = signing.loads(field_data)
|
||||
|
|
|
@ -1030,3 +1030,7 @@ def test_manager_widgets_field_id_other_user(app, admin, simple_user, simple_rol
|
|||
select2_json = request_select2(app, response)
|
||||
# simple_user doesn't see all roles
|
||||
assert simple_role.pk == select2_json['results'][0]['id']
|
||||
|
||||
# anymous user receive 404
|
||||
app.session.flush()
|
||||
select2_json = request_select2(app, response, get_kwargs={'status': 404})
|
||||
|
|
|
@ -211,11 +211,14 @@ def find_free_tcp_port():
|
|||
return s.getsockname()[1]
|
||||
|
||||
|
||||
def request_select2(app, response, term=''):
|
||||
def request_select2(app, response, term='', get_kwargs=None):
|
||||
select2_url = response.pyquery('select')[0].attrib['data-ajax--url']
|
||||
select2_field_id = response.pyquery('select')[0].attrib['data-field_id']
|
||||
select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': term})
|
||||
return select2_response.json
|
||||
select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': term}, **(get_kwargs or {}))
|
||||
if select2_response['content-type'] == 'application/json':
|
||||
return select2_response.json
|
||||
else:
|
||||
return select2_response
|
||||
|
||||
|
||||
@contextmanager
|
||||
|
|
Loading…
Reference in New Issue