corbz/PYRSS-Website
corbz/PYRSS-Website
1
0
Fork 0
Code Issues 21 Pull Requests Actions Releases 1 Wiki Activity

admin users bypass api filters
Some checks failed
Build and Push Docker Image / build (push) Failing after 7m10s
Details

Browse Source
This commit is contained in:
Corban-Lee Jones 2024-10-29 22:02:22 +00:00
parent d96ac0d086
commit 7c0dc5302d
1 changed files with 43 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
apps/api/views.py
View File

@ -90,6 +90,9 @@ class Server_ListView(ListView):
serializer_class = ServerSerializer serializer_class = ServerSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return Server.objects.all().order_by("id")
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return Server.objects.filter(id__in=servers).order_by("id") return Server.objects.filter(id__in=servers).order_by("id")
@ -98,18 +101,22 @@ class Server_DetailView(DeletableDetailView):
serializer_class = ServerSerializer serializer_class = ServerSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return Server.objects.all()
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return Server.objects.filter(id__in=servers) return Server.objects.filter(id__in=servers)
def destroy(self, request, *args, **kwargs): def destroy(self, request, *args, **kwargs):
server = self.get_object() server = self.get_object()
member = ServerMember.objects.get(server=server, user=request.user)
if not member.is_owner: if not self.request.user.is_superuser:
return Response( member = ServerMember.objects.get(server=server, user=request.user)
{"detail": "Only the owner can destroy server data."}, if not member.is_owner:
status=status.HTTP_403_FORBIDDEN return Response(
) {"detail": "Only the owner can destroy server data."},
status=status.HTTP_403_FORBIDDEN
)
return super().destroy(request, *args, **kwargs) return super().destroy(request, *args, **kwargs)
@ -123,6 +130,9 @@ class ContentFilter_ListView(ListCreateView):
serializer_class = ContentFilterSerializer serializer_class = ContentFilterSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return ContentFilter.objects.all().order_by("name")
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return ContentFilter.objects.filter(server__in=servers).order_by("name") return ContentFilter.objects.filter(server__in=servers).order_by("name")
@ -131,6 +141,9 @@ class ContentFilter_DetailView(ChangableDetailView):
serializer_class = ContentFilterSerializer serializer_class = ContentFilterSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return ContentFilter.objects.all()
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return ContentFilter.objects.filter(server__in=servers) return ContentFilter.objects.filter(server__in=servers)
@ -163,14 +176,22 @@ class MessageStyle_ListView(ListCreateView):
serializer_class = MessageStyleSerializer serializer_class = MessageStyleSerializer
def get_queryset(self): def get_queryset(self):
return MessageStyle.objects.all() if self.request.user.is_superuser:
return MessageStyle.objects.all().order_by("name")
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return MessageStyle.objects.filter(server__in=servers).order_by("name")
class MessageStyle_DetailView(ChangableDetailView): class MessageStyle_DetailView(ChangableDetailView):
serializer_class = MessageStyleSerializer serializer_class = MessageStyleSerializer
def get_queryset(self): def get_queryset(self):
return MessageStyle.objects.all() if self.request.user.is_superuser:
return MessageStyle.objects.all()
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return MessageStyle.objects.filter(server__in=servers)
# region Subscriptions # region Subscriptions
@ -182,14 +203,20 @@ class Subscription_ListView(ListCreateView):
serializer_class = SubscriptionSerializer serializer_class = SubscriptionSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return Subscription.objects.all().order_by("name")
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return Subscription.objects.filter(server__in=servers) return Subscription.objects.filter(server__in=servers).order_by("name")
class Subscription_DetailView(ChangableDetailView): class Subscription_DetailView(ChangableDetailView):
serializer_class = SubscriptionSerializer serializer_class = SubscriptionSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return Subscription.objects.all()
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
return Subscription.objects.filter(server__in=servers) return Subscription.objects.filter(server__in=servers)
@ -203,6 +230,9 @@ class Content_ListView(ListCreateView):
serializer_class = ContentSerializer serializer_class = ContentSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return Content.objects.all().order_by("-subscription__created_at", "id")
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
subscriptions = Subscription.objects.filter(server__in=servers).values_list("id", flat=True) subscriptions = Subscription.objects.filter(server__in=servers).values_list("id", flat=True)
return Content.objects.filter(subscription__in=subscriptions).order_by("-subscription__created_at", "id") return Content.objects.filter(subscription__in=subscriptions).order_by("-subscription__created_at", "id")
@ -212,9 +242,12 @@ class Content_DetailView(ChangableDetailView):
serializer_class = ContentSerializer serializer_class = ContentSerializer
def get_queryset(self): def get_queryset(self):
if self.request.user.is_superuser:
return Content.objects.all()
servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True) servers = ServerMember.objects.filter(user=self.request.user).values_list("server", flat=True)
subscriptions = Subscription.objects.filter(server__in=servers).values_list("id", flat=True) subscriptions = Subscription.objects.filter(server__in=servers).values_list("id", flat=True)
return Content.objects.filter(subscription__in=subscriptions).order_by("-subscription__created_at", "id") return Content.objects.filter(subscription__in=subscriptions)
# region Unique Rules # region Unique Rules