zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-07-22 10:46:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Guard report behind perms check

Browse source 
Not strictly necessary as we check anyway, but double security
This commit is contained in:
zandercymatics 2024-11-20 10:04:24 -07:00
parent 908e06c8eb
commit b791daf10c
No known key found for this signature in database
GPG key ID: FF4636ABEC9682B7
1 changed files with 14 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/registrar/views/report_views.py
View file

@ -174,11 +174,23 @@ class ExportMembersPortfolio(View):
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
"""Returns the members report""" """Returns the members report"""
portfolio = request.session.get("portfolio")
# Check if the user has organization access
if not request.user.is_org_user(request):
return render(request, "403.html", status=403)
# Check if the user has member permissions
if (
not request.user.has_view_members_portfolio_permission(portfolio)
and not request.user.has_edit_members_portfolio_permission(portfolio)
):
return render(request, "403.html", status=403)
# Swap the spaces for dashes to make the formatted name look prettier # Swap the spaces for dashes to make the formatted name look prettier
portfolio_display = "organization" portfolio_display = "organization"
if request.session.get("portfolio"): if portfolio:
portfolio_display = str(request.session.get("portfolio")).lower().replace(" ", "-") portfolio_display = str(portfolio).lower().replace(" ", "-")
response = HttpResponse(content_type="text/csv") response = HttpResponse(content_type="text/csv")
response["Content-Disposition"] = f'attachment; filename="members-for-{portfolio_display}.csv"' response["Content-Disposition"] = f'attachment; filename="members-for-{portfolio_display}.csv"'