holm/django-helpdeskmig
1
0
Fork 0
mirror of https://gitea.mueller.network/extern/django-helpdesk.git synced 2024-11-21 23:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix security problem with update_ticket view

Browse Source 
@martin-marty Introduced a security flaw in this commit.

ecefd5e407#

By extracting authentication logic for the update_ticket view to a new function
and mixing the return types. This function returns both a Ticket object and a
login redirect. This is simply non-sensical and fails to actually login-redirect
non-authenticated users.
This commit is contained in:
Timothy Hobbs 2023-11-11 22:24:00 +01:00
parent d6764cd4fb
commit 21513d4524
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
helpdesk/views/staff.py
View File

@ -578,7 +578,7 @@ def get_ticket_from_request_with_authorisation(
secret_key__iexact=request.POST.get('key')
)
except (Ticket.DoesNotExist, ValueError):
return redirect_to_login(request.path, 'helpdesk:login')
raise PermissionDenied()
return get_object_or_404(Ticket, id=ticket_id)
@ -732,7 +732,10 @@ def get_template_staff_and_template_cc(
def update_ticket(request, ticket_id, public=False):
ticket = get_ticket_from_request_with_authorisation(request, ticket_id, public)
try:
ticket = get_ticket_from_request_with_authorisation(request, ticket_id, public)
except PermissionDenied:
return redirect_to_login(request.path, 'helpdesk:login')
comment = request.POST.get('comment', '')
new_status = int(request.POST.get('new_status', ticket.status))