Fixed security problems with Latest view

344c0d54 · Branson Craig Stephens · 6af41901 · 344c0d54 · 344c0d54
Commit 344c0d54 authored 9 years ago by Branson Craig Stephens
--- a/gracedb/permission_utils.py
+++ b/gracedb/permission_utils.py
@@ -3,6 +3,7 @@ from guardian.shortcuts import assign_perm
 from django.contrib.auth.models import Group
 from django.utils.functional import wraps
 from django.http import HttpResponseForbidden
+from gracedb.models import Event

 #-------------------------------------------------------------------------------
 # A convenient wrapper for permission checks.
@@ -18,6 +19,9 @@ def user_has_perm(user, shortname, obj):
 # when there are many objects.
 #-------------------------------------------------------------------------------
 def filter_events_for_user(events, user, shortname):
+    # If user is None, return empty queryset
+    if not user:
+        return Event.objects.none()
    auth_filter = Q()
    for group in user.groups.all():
        perm_string = '%s_can_%s' % (group.name, shortname)

--- a/gracedb/views.py
+++ b/gracedb/views.py
@@ -556,6 +556,8 @@ def oldsearch(request):
            context_instance=RequestContext(request))

 def latest(request):
+    if not request.user or not request.user.is_authenticated():
+        return HttpResponseForbidden("Forbidden")
    context = {}

    if request.method == "GET":