zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-05-20 03:19:24 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add perms checks

Browse source
This commit is contained in:
zandercymatics 2024-05-09 12:45:21 -06:00
parent 2f36033eb2
commit 84408fce48
No known key found for this signature in database
GPG key ID: FF4636ABEC9682B7
5 changed files with 34 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/djangooidc/views.py
View file

@ -129,7 +129,9 @@ def login_callback(request):
# Clear the flag if the exception is not caught # Clear the flag if the exception is not caught
request.session.pop("redirect_attempted", None) request.session.pop("redirect_attempted", None)
return redirect(request.session.get("next", "/"))
success_redirect_url = "/" if user.finished_setup else f"/finish-user-setup/{user.id}"
return redirect(request.session.get("next", success_redirect_url))
else: else:
raise o_e.BannedUser() raise o_e.BannedUser()
except o_e.StateMismatch as nsd_err: except o_e.StateMismatch as nsd_err:

7
src/registrar/config/urls.py
View file

@ -100,6 +100,13 @@ urlpatterns = [
name="analytics", name="analytics",
), ),
path("admin/", admin.site.urls), path("admin/", admin.site.urls),
path(
# We embed the current user ID here, but we have a permission check
# that ensures the user is who they say they are.
"finish-user-setup/<int:pk>",
views.FinishContactProfileSetupView.as_view(),
name="finish-contact-profile-setup",
),
path( path(
"domain-request/<id>/edit/", "domain-request/<id>/edit/",
views.DomainRequestWizard.as_view(), views.DomainRequestWizard.as_view(),

7
src/registrar/templates/finish_contact_setup.html Normal file
View file

@ -0,0 +1,7 @@
{% extends "base.html" %}
{% load static url_helpers %}
{% block title %} Finish setting up your profile {% endblock %}
{% block content %}
<h2>TEST</h2>
{% endblock content %}

2
src/registrar/views/domain_request.py
View file

@ -824,5 +824,5 @@ class DomainRequestDeleteView(DomainRequestPermissionDeleteView):
class FinishContactProfileSetupView(ContactPermissionView): class FinishContactProfileSetupView(ContactPermissionView):
"""This view forces the user into providing additional details that """This view forces the user into providing additional details that
we may have missed from Login.gov""" we may have missed from Login.gov"""
template_name = "domain_request_your_contact.html" template_name = "finish_contact_setup.html"
forms = [forms.YourContactForm] forms = [forms.YourContactForm]

17
src/registrar/views/utility/mixins.py
View file

@ -9,6 +9,7 @@ from registrar.models import (
DomainInformation, DomainInformation,
UserDomainRole, UserDomainRole,
Contact, Contact,
User,
) )
import logging import logging
@ -340,10 +341,22 @@ class ContactPermission(PermissionsLoginMixin):
if not self.request.user.is_authenticated: if not self.request.user.is_authenticated:
return False return False
user_pk = self.kwargs["pk"]
given_user_pk = self.kwargs["pk"]
# Grab the user in the DB to do a full object comparision, not just on ids
current_user = self.request.user
# Check for the ids existence since we're dealing with requests
requested_user_exists = User.objects.filter(pk=given_user_pk).exists()
# Compare the PK that was passed in to the user currently logged in
if current_user.pk != given_user_pk and requested_user_exists:
# Don't allow users to modify other users profiles
return False
# Check if the user has an associated contact # Check if the user has an associated contact
associated_contacts = Contact.objects.filter(user=user_pk) associated_contacts = Contact.objects.filter(user=current_user)
associated_contacts_length = len(associated_contacts) associated_contacts_length = len(associated_contacts)
if associated_contacts_length == 0: if associated_contacts_length == 0: