manager: ignore select2 request if no user is logged (#45310)

2020-07-26 15:40:57 +02:00 · 2020-07-26 15:40:57 +02:00 · 43d20aafa1
parent 757b823236
commit 43d20aafa1
3 changed files with 12 additions and 3 deletions
--- a/src/authentic2/manager/views.py
+++ b/src/authentic2/manager/views.py
@ -678,6 +678,8 @@ class Select2View(AutoResponseView):
    '''Overrided default django-select2 view to enforce security checks on Select2 AJAX requests.'''

    def get_widget_or_404(self):
+        if not self.request.user.is_authenticated or not hasattr(self.request.user, 'filter_by_perm'):
+            raise Http404('Invalid user')
        field_data = self.kwargs.get('field_id', self.request.GET.get('field_id', None))
        try:
            field_data = signing.loads(field_data)
--- a/tests/test_manager.py
+++ b/tests/test_manager.py
@ -1030,3 +1030,7 @@ def test_manager_widgets_field_id_other_user(app, admin, simple_user, simple_rol
    select2_json = request_select2(app, response)
    # simple_user doesn't see all roles
    assert simple_role.pk == select2_json['results'][0]['id']
+
+    # anymous user receive 404
+    app.session.flush()
+    select2_json = request_select2(app, response, get_kwargs={'status': 404})
--- a/tests/utils.py
+++ b/tests/utils.py
@ -211,11 +211,14 @@ def find_free_tcp_port():
        return s.getsockname()[1]


-def request_select2(app, response, term=''):
+def request_select2(app, response, term='', get_kwargs=None):
    select2_url = response.pyquery('select')[0].attrib['data-ajax--url']
    select2_field_id = response.pyquery('select')[0].attrib['data-field_id']
-    select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': term})
-    return select2_response.json
+    select2_response = app.get(select2_url, params={'field_id': select2_field_id, 'term': term}, **(get_kwargs or {}))
+    if select2_response['content-type'] == 'application/json':
+        return select2_response.json
+    else:
+        return select2_response


@contextmanager