Fixing basic auth password access

A loophole allowed LVC users who are also LV-EM members to access the page for creating/managing passwords for basic auth access to the API. This commit fixes that by also checking for the absence of LVC membership before allowing access to the page.

Fixing basic auth password access
ce00f056 · Tanner Prestegard · GraceDB · f95f11e5 · ce00f056
Commit ce00f056 authored 6 years ago by Tanner Prestegard Committed by GraceDB 6 years ago
--- a/gracedb/userprofile/views.py
+++ b/gracedb/userprofile/views.py
@@ -22,7 +22,8 @@ log = logging.getLogger(__name__)
 from .models import Trigger, Contact
 from .forms import ContactForm, triggerFormFactory, TriggerForm
-from events.permission_utils import internal_user_required, lvem_user_required
+from events.permission_utils import internal_user_required, \
+    lvem_user_required, is_external
 from events.query import labelQuery
 from events.models import Label
 from events.alert import get_twilio_from
@@ -38,6 +39,13 @@ def index(request):
 @lvem_user_required
 def managePassword(request):
+    # lvem_user_required only checks for LVEM group membership,
+    # not the absence of LVC membership.  We want this page to be
+    # forbidden to LVC members - they don't need passwords since they
+    # have certificate-based access to the API.
+    if not is_external(request.user):
+        return HttpResponseForbidden("Forbidden")
    # Set up context dictionary
    d = { 'username': request.user.username }