Merge pull request #1162 from MITx/fix/cdodge/security-holes

add some permissions asserting

Merge pull request #1162 from MITx/fix/cdodge/security-holes
add some permissions asserting
dbd9ac6e · Christina Roberts · 9d206287 · ab9b2086 · dbd9ac6e · dbd9ac6e
Commit dbd9ac6e authored Dec 14, 2012 by Christina Roberts
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 6 deletions

cms/djangoapps/contentstore/module_info_model.py
+0 -3

cms/djangoapps/contentstore/views.py
+30 -2

cms/static/js/template_loader.js
+1 -1

No files found.
--- a/cms/djangoapps/contentstore/module_info_model.py
+++ b/cms/djangoapps/contentstore/module_info_model.py
@@ -40,11 +40,8 @@ def set_module_info(store, location, post_data):
    module = store.clone_item(template_location, location)
    isNew = True

-  logging.debug('post = {0}'.format(post_data))
-
  if post_data.get('data') is not None:
      data = post_data['data']
-      logging.debug('data = {0}'.format(data))
      store.update_item(location, data)
     
  # cdodge: note calling request.POST.get('children') will return None if children is an empty array

--- a/cms/djangoapps/contentstore/views.py
+++ b/cms/djangoapps/contentstore/views.py
@@ -849,7 +849,8 @@ def remove_user(request, location):
 def landing(request, org, course, coursename):
    return render_to_response('temp-course-landing.html', {})

-
+@login_required
+@ensure_csrf_cookie
 def static_pages(request, org, course, coursename):

    location = ['i4x', org, course, 'course', coursename]
@@ -869,12 +870,17 @@ def static_pages(request, org, course, coursename):
 def edit_static(request, org, course, coursename):
    return render_to_response('edit-static-page.html', {})

-
+@login_required
+@ensure_csrf_cookie
 def edit_tabs(request, org, course, coursename):
    location = ['i4x', org, course, 'course', coursename]    
    course_item = modulestore().get_item(location)
    static_tabs_loc = Location('i4x', org, course, 'static_tab', None)

+    # check that logged in user has permissions to this item
+    if not has_access(request.user, location):
+        raise PermissionDenied()
+
    static_tabs = modulestore('direct').get_items(static_tabs_loc)

    components = [
@@ -937,6 +943,11 @@ def course_info_updates(request, org, course, provided_id=None):
    # ??? No way to check for access permission afaik
    # get current updates
    location = ['i4x', org, course, 'course_info', "updates"]
+
+    # check that logged in user has permissions to this item
+    if not has_access(request.user, location):
+        raise PermissionDenied()
+
    # NB: we're setting Backbone.emulateHTTP to true on the client so everything comes as a post!!!
    if request.method == 'POST' and 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
        real_method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
@@ -959,6 +970,10 @@ def course_info_updates(request, org, course, provided_id=None):
 @ensure_csrf_cookie
 def module_info(request, module_location):
    location = Location(module_location)
+    
+    # check that logged in user has permissions to this item
+    if not has_access(request.user, location):
+        raise PermissionDenied()

    # NB: we're setting Backbone.emulateHTTP to true on the client so everything comes as a post!!!
    if request.method == 'POST' and 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
@@ -1011,6 +1026,12 @@ def course_settings_updates(request, org, course, name, section):
    org, course: Attributes of the Location for the item to edit
    section: one of details, faculty, grading, problems, discussions
    """
+    location = ['i4x', org, course, 'course', name]
+
+    # check that logged in user has permissions to this item
+    if not has_access(request.user, location):
+        raise PermissionDenied()
+
    if section == 'details':
        manager = CourseDetails
    elif section == 'grading':
@@ -1035,6 +1056,13 @@ def course_grader_updates(request, org, course, name, grader_index=None):

    org, course: Attributes of the Location for the item to edit
    """
+    
+    location = ['i4x', org, course, 'course', name]
+
+    # check that logged in user has permissions to this item
+    if not has_access(request.user, location):
+        raise PermissionDenied()
+
    if request.method == 'POST' and 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
        real_method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
    else:

--- a/cms/static/js/template_loader.js
+++ b/cms/static/js/template_loader.js
@@ -5,7 +5,7 @@
 	if (typeof window.templateLoader == 'function') return;
 	
    var templateLoader = {
-      templateVersion: "0.0.11",
+      templateVersion: "0.0.12",
      templates: {},
      loadRemoteTemplate: function(templateName, filename, callback) {
        if (!this.templates[templateName]) {