Fix POST requests slipping through AdminOrReadOnlyVisible

ractf · Oct 8, 2023 · 0131bb9 · 0131bb9
1 parent 528e496
commit 0131bb9
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/src/backend/permissions.py b/src/backend/permissions.py
@@ -7,6 +7,11 @@ def has_object_permission(self, request, view, obj):
             return True
         return request.user.is_authenticated and obj.is_visible and request.method in permissions.SAFE_METHODS
 
+    def has_permission(self, request, view):
+        if request.method not in permissions.SAFE_METHODS:
+            return request.user.is_staff and not request.user.should_deny_admin()
+        return request.user.is_authenticated
+
 
 class AdminOrReadOnly(permissions.BasePermission):
     def has_permission(self, request, view):

diff --git a/src/member/tests.py b/src/member/tests.py
@@ -162,6 +162,16 @@ def test_patch_member_admin(self):
         )
         self.assertEqual(response.status_code, HTTP_200_OK)
 
+    def test_unauthenticated_post_request_is_rejected(self):
+        self.admin_user.is_visible = True
+        self.admin_user.save()
+        self.client.force_authenticate(self.user)
+        response = self.client.post(
+            reverse("member-list"),
+            data={"username": "test2"},
+        )
+        self.assertEqual(response.status_code, HTTP_403_FORBIDDEN)
+
 
 class UserIPTest(APITestCase):
     def test_not_authenticated(self):