add 403 exception for bad access
This commit is contained in:
parent
e87db60b7e
commit
8c5e6302b6
|
@ -52,6 +52,7 @@ class DobleFactorAuthView(AdminView, View):
|
|||
url = reverse_lazy('idhub:admin_dashboard')
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
if not self.request.session.get("2fauth"):
|
||||
return redirect(self.url)
|
||||
|
||||
|
@ -132,6 +133,7 @@ class PeopleView(People, TemplateView):
|
|||
class PeopleActivateView(PeopleView):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||
|
||||
|
@ -153,6 +155,7 @@ class PeopleActivateView(PeopleView):
|
|||
class PeopleDeleteView(PeopleView):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||
|
||||
|
@ -317,6 +320,7 @@ class PeopleMembershipDeleteView(PeopleView):
|
|||
model = Membership
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||
|
||||
|
@ -404,6 +408,7 @@ class PeopleRolDeleteView(PeopleView):
|
|||
model = UserRol
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||
user = self.object.user
|
||||
|
@ -467,6 +472,7 @@ class RolDeleteView(AccessControl):
|
|||
model = Rol
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||
|
||||
|
@ -540,6 +546,7 @@ class ServiceDeleteView(AccessControl):
|
|||
model = Service
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||
|
||||
|
@ -584,6 +591,7 @@ class CredentialView(Credentials):
|
|||
class CredentialJsonView(Credentials):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
pk = kwargs['pk']
|
||||
self.object = get_object_or_404(
|
||||
VerificableCredential,
|
||||
|
@ -598,6 +606,7 @@ class RevokeCredentialsView(Credentials):
|
|||
success_url = reverse_lazy('idhub:admin_credentials')
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
pk = kwargs['pk']
|
||||
self.object = get_object_or_404(
|
||||
VerificableCredential,
|
||||
|
@ -617,6 +626,7 @@ class DeleteCredentialsView(Credentials):
|
|||
success_url = reverse_lazy('idhub:admin_credentials')
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
pk = kwargs['pk']
|
||||
self.object = get_object_or_404(
|
||||
VerificableCredential,
|
||||
|
@ -696,6 +706,7 @@ class DidDeleteView(Credentials, DeleteView):
|
|||
success_url = reverse_lazy('idhub:admin_dids')
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(self.model, pk=self.pk)
|
||||
Event.set_EV_ORG_DID_DELETED_BY_ADMIN(self.object)
|
||||
|
@ -734,6 +745,7 @@ class SchemasView(SchemasMix):
|
|||
class SchemasDeleteView(SchemasMix):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(Schemas, pk=self.pk)
|
||||
self.object.delete()
|
||||
|
@ -744,6 +756,7 @@ class SchemasDeleteView(SchemasMix):
|
|||
class SchemasDownloadView(SchemasMix):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
self.pk = kwargs['pk']
|
||||
self.object = get_object_or_404(Schemas, pk=self.pk)
|
||||
|
||||
|
@ -822,6 +835,7 @@ class SchemasImportView(SchemasMix):
|
|||
class SchemasImportAddView(SchemasMix):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
file_name = kwargs['file_schema']
|
||||
schemas_files = os.listdir(settings.SCHEMAS_DIR)
|
||||
if not file_name in schemas_files:
|
||||
|
|
|
@ -3,6 +3,21 @@ from django.contrib.auth import views as auth_views
|
|||
from django.urls import reverse_lazy, resolve
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from django.shortcuts import redirect
|
||||
from django.http import Http404
|
||||
from django.core.exceptions import PermissionDenied
|
||||
|
||||
|
||||
|
||||
class Http403(PermissionDenied):
|
||||
status_code = 403
|
||||
default_detail = _('Permission denied. User is not authenticated')
|
||||
default_code = 'forbidden'
|
||||
|
||||
def __init__(self, detail=None, code=None):
|
||||
if detail is not None:
|
||||
self.detail = details or self.default_details
|
||||
if code is not None:
|
||||
self.code = code or self.default_code
|
||||
|
||||
|
||||
class UserView(LoginRequiredMixin):
|
||||
|
@ -26,11 +41,17 @@ class UserView(LoginRequiredMixin):
|
|||
class AdminView(UserView):
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
if not request.user.is_admin:
|
||||
url = reverse_lazy('idhub:user_dashboard')
|
||||
return redirect(url)
|
||||
self.check_valid_user()
|
||||
return super().get(request, *args, **kwargs)
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
self.check_valid_user()
|
||||
return super().post(request, *args, **kwargs)
|
||||
|
||||
def check_valid_user(self):
|
||||
if not self.request.user.is_admin:
|
||||
raise Http403
|
||||
|
||||
if self.request.session.get("2fauth"):
|
||||
return redirect(reverse_lazy("idhub:login"))
|
||||
|
||||
return super().get(request, *args, **kwargs)
|
||||
raise Http403
|
||||
|
||||
|
|
Loading…
Reference in New Issue