git.ipfire.org Git - thirdparty/patchwork.git/commit

author	Andrew Donnellan <andrew.donnellan@au1.ibm.com>
	Thu, 25 May 2017 07:38:04 +0000 (17:38 +1000)
committer	Stephen Finucane <stephen@that.guru>
	Fri, 26 May 2017 08:51:08 +0000 (09:51 +0100)
commit	8d98b5d43fd3d4d62929b8cc2a00c39d7111f152
tree	7ddb741b010f3ec237e0b1bd5e4377ff4e10f795	tree \| snapshot
parent	9d63531789955f5c4dec2c0c0899485b79fdcb96	commit \| diff

bundle: Fix use of basic auth for bundle mboxes

Commit 0b4f508a8438 ("views: Allow use of basic auth for bundle mboxes")
added support for using Django REST Framework's BasicAuthentication to
authenticate when accessing the bundle-mbox view.

To check the user's credentials, we call
BasicAuthentication.authenticate(), however, we don't check whether
the returned user is actually the bundle owner. This means that any user
can access any private bundle if they authenticate using basic
authentication.

Additionally, if invalid credentials are provided via a basic
authentication header, BasicAuthentication.authenticate() will throw an
AuthenticationFailed exception. We currently don't catch this, resulting in
an exception page being displayed rather than a 404.

Add a new helper, rest_auth(), that takes a request and returns a user.
Call this in bundle_mbox() and save the result into request.user before we
check whether request.user is actually the bundle owner.

Found by code inspection.

Fixes: 0b4f508a8438 ("views: Allow use of basic auth for bundle mboxes")
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Reviewed-by: Stephen Finucane <stephen@that.guru>