mirror of
https://gitea.mueller.network/extern/django-helpdesk.git
synced 2024-11-25 09:23:39 +01:00
Merge pull request #1134 from timthelion/bad-auth
Fix security problem with update_ticket view
This commit is contained in:
commit
0fc18848bc
@ -578,7 +578,7 @@ def get_ticket_from_request_with_authorisation(
|
|||||||
secret_key__iexact=request.POST.get('key')
|
secret_key__iexact=request.POST.get('key')
|
||||||
)
|
)
|
||||||
except (Ticket.DoesNotExist, ValueError):
|
except (Ticket.DoesNotExist, ValueError):
|
||||||
return redirect_to_login(request.path, 'helpdesk:login')
|
raise PermissionDenied()
|
||||||
|
|
||||||
return get_object_or_404(Ticket, id=ticket_id)
|
return get_object_or_404(Ticket, id=ticket_id)
|
||||||
|
|
||||||
@ -732,7 +732,10 @@ def get_template_staff_and_template_cc(
|
|||||||
|
|
||||||
def update_ticket(request, ticket_id, public=False):
|
def update_ticket(request, ticket_id, public=False):
|
||||||
|
|
||||||
ticket = get_ticket_from_request_with_authorisation(request, ticket_id, public)
|
try:
|
||||||
|
ticket = get_ticket_from_request_with_authorisation(request, ticket_id, public)
|
||||||
|
except PermissionDenied:
|
||||||
|
return redirect_to_login(request.path, 'helpdesk:login')
|
||||||
|
|
||||||
comment = request.POST.get('comment', '')
|
comment = request.POST.get('comment', '')
|
||||||
new_status = int(request.POST.get('new_status', ticket.status))
|
new_status = int(request.POST.get('new_status', ticket.status))
|
||||||
|
Loading…
Reference in New Issue
Block a user