Fix security of update_priorities endpoint

451351f4 · Odin Johan Vatne · 45c53f2c · 451351f4
Commit 451351f4 authored 3 years ago by Odin Johan Vatne
--- a/pasapp/views.py
+++ b/pasapp/views.py
@@ -267,23 +267,33 @@ def update_priorities(request):
    '''
    if request.method == 'POST':
        post_request = request.POST
+        errors = []
        for field in post_request:
            if field.startswith("priority"):
                application_id = post_request[field]
                priority = int(field.replace("priority", "", 1))
+                application = None
+
+                if application_id != '':
+                    application = Application.objects.get(pk=application_id)
+                    if application.student != request.user:
+                        errors.append(f"Application with priority {priority} did not belong to you.")
+                        continue

                duplicate_priority_applications = Application.objects.filter(
-                    priority=priority)
+                    student=request.user, priority=priority)
                for application in duplicate_priority_applications:
                    application.priority = None
                    application.save()

                if application_id == '':
                    continue
-                application = Application.objects.get(pk=application_id)
+
                if application is not None:
                    application.priority = priority
                    application.save()
+        if errors:
+            return HttpResponseForbidden("\n".join(errors))
        return redirect("/applications/")

    else: