mo8it/AdvLabDB
1
0
Fork 0
mirror of https://codeberg.org/Mo8it/AdvLabDB.git synced 2024-12-20 23:41:20 +00:00
Code Releases Activity

Security fix

Browse source
This commit is contained in:
Mo 2021-11-30 01:36:19 +01:00
parent 490eb8e14c
commit 52506fc47f
2 changed files with 47 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
advlabdb/customClasses.py
View file

@ -4,6 +4,7 @@ from flask_admin.contrib.sqla import ModelView
from flask_security import current_user from flask_security import current_user
from advlabdb.exceptions import DataBaseException, ModelViewException from advlabdb.exceptions import DataBaseException, ModelViewException
from advlabdb.utils import reportBadAttempt
def adminViewIsAccessible(): def adminViewIsAccessible():
@ -31,9 +32,6 @@ class SecureAssistantIndexView(CustomIndexView):
class CustomModelView(ModelView): class CustomModelView(ModelView):
can_export = True
can_set_page_size = True
create_modal = True create_modal = True
edit_modal = True edit_modal = True
details_modal = True details_modal = True
@ -87,6 +85,14 @@ class CustomModelView(ModelView):
class SecureAdminModelView(CustomModelView): class SecureAdminModelView(CustomModelView):
can_export = True
can_set_page_size = True
can_create = True
can_edit = True
can_delete = True
column_display_actions = True
list_template = "admin_list.html" list_template = "admin_list.html"
create_template = "admin_create.html" create_template = "admin_create.html"
edit_template = "admin_edit.html" edit_template = "admin_edit.html"
@ -96,6 +102,14 @@ class SecureAdminModelView(CustomModelView):
class SecureAssistantModelView(CustomModelView): class SecureAssistantModelView(CustomModelView):
can_export = False
can_set_page_size = False
can_create = False
can_edit = False
can_delete = False
column_display_actions = False
list_template = "assistant_list.html" list_template = "assistant_list.html"
create_template = "assistant_create.html" create_template = "assistant_create.html"
edit_template = "assistant_edit.html" edit_template = "assistant_edit.html"
@ -103,6 +117,32 @@ class SecureAssistantModelView(CustomModelView):
def is_accessible(self): def is_accessible(self):
return assistantViewIsAccessible() return assistantViewIsAccessible()
def queryFilter(self):
"""
A default filter has to be implemented to restrict assistants read/write access.
See on_model_change!
"""
raise ModelViewException("Not implemented!")
def on_model_change(self, form, model, is_created):
"""
This method is NOT ALLOWED TO BE (completely) OVERWRITTEN!
This method uses the filter returned by queryFilter (which has to be implemented!) to prevent assistants
from modifing models not listed on their view by sending a POST request with a different id.
You can extend this method by implementing a custom on_model_change and then calling super().on_model_change within it.
"""
if is_created:
reportBadAttempt("An assistant tried to create a model!")
raise ModelViewException("Assistants can not create models!")
if model not in self.get_query():
reportBadAttempt("An assistant tried to change a model not in his filter!")
raise ModelViewException("Unauthorized action!")
def on_model_delete(self, model):
reportBadAttempt("An assistant tried to delete a model!")
raise ModelViewException("Assistants can not delete models!")
class SecureAdminBaseView(BaseView): class SecureAdminBaseView(BaseView):
def is_accessible(self): def is_accessible(self):

4
advlabdb/utils.py
View file

@ -63,3 +63,7 @@ def initActiveSemesterMenuLinks(space):
) )
space.add_link(MenuLink(name="Logout", url=url_for("security.logout"))) space.add_link(MenuLink(name="Logout", url=url_for("security.logout")))
def reportBadAttempt(message):
print("BAD ATTEMPT:", message) # TODO: Log