From beefeb62cb525f3bdd62cf6307c48220698041c4 Mon Sep 17 00:00:00 2001 From: PCoder Date: Tue, 12 Dec 2017 09:38:08 +0100 Subject: [PATCH 1/8] Raise 404 for HostingOrder not belonging to user --- hosting/views.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/hosting/views.py b/hosting/views.py index f6d0f0eb..1ac57c62 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -670,9 +670,16 @@ class OrdersHostingDetailView(LoginRequiredMixin, permission_required = ['view_hostingorder'] model = HostingOrder - def get_object(self): - return HostingOrder.objects.get( - pk=self.kwargs.get('pk')) if self.kwargs.get('pk') else None + def get_object(self, queryset=None): + try: + hosting_order_obj = HostingOrder.objects.get( + pk=self.kwargs.get('pk') + ) + except HostingOrder.DoesNotExist: + hosting_order_obj = None + if not self.request.user.has_perm(hosting_order_obj): + raise Http404 + return hosting_order_obj def get_context_data(self, **kwargs): # Get context From 79b4b449d14ead4ed6ec36ca5321e7b2776cea47 Mon Sep 17 00:00:00 2001 From: PCoder Date: Tue, 12 Dec 2017 09:53:14 +0100 Subject: [PATCH 2/8] Add some logger messages --- hosting/views.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/hosting/views.py b/hosting/views.py index 1ac57c62..6c3461b4 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -671,19 +671,30 @@ class OrdersHostingDetailView(LoginRequiredMixin, model = HostingOrder def get_object(self, queryset=None): + logger.debug("Within OrdersHostingDetailView get_object") try: hosting_order_obj = HostingOrder.objects.get( pk=self.kwargs.get('pk') ) + logger.debug("Found HostingOrder obj") except HostingOrder.DoesNotExist: + logger.debug("HostingOrder obj not found") hosting_order_obj = None if not self.request.user.has_perm(hosting_order_obj): + logger.debug( + "User {user} has no perm on HostingOrder {order}".format( + user=self.request.email, + order=hosting_order_obj.id if hosting_order_obj else 'None' + ) + ) raise Http404 return hosting_order_obj def get_context_data(self, **kwargs): # Get context - context = super(DetailView, self).get_context_data(**kwargs) + context = super( + OrdersHostingDetailView, self + ).get_context_data(**kwargs) obj = self.get_object() owner = self.request.user stripe_api_cus_id = self.request.session.get('customer') From 57311eda7314fb4342547d1f6c197fab4d264039 Mon Sep 17 00:00:00 2001 From: "M.Ravi" Date: Tue, 12 Dec 2017 12:14:39 +0100 Subject: [PATCH 3/8] Improve debug logs --- hosting/views.py | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/hosting/views.py b/hosting/views.py index 6c3461b4..c04bcf30 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -671,20 +671,28 @@ class OrdersHostingDetailView(LoginRequiredMixin, model = HostingOrder def get_object(self, queryset=None): - logger.debug("Within OrdersHostingDetailView get_object") - try: - hosting_order_obj = HostingOrder.objects.get( - pk=self.kwargs.get('pk') + order_id = self.kwargs.get('pk') + logger.debug( + "Within OrdersHostingDetailView get_object {order_id}".format( + order_id=order_id ) - logger.debug("Found HostingOrder obj") + ) + try: + hosting_order_obj = HostingOrder.objects.get(pk=order_id) + logger.debug("Found HostingOrder for id {order_id}".format( + order_id=order_id + )) except HostingOrder.DoesNotExist: - logger.debug("HostingOrder obj not found") + logger.debug("HostingOrder not found for id {order_id}".format( + order_id=order_id + )) hosting_order_obj = None if not self.request.user.has_perm(hosting_order_obj): logger.debug( - "User {user} has no perm on HostingOrder {order}".format( - user=self.request.email, - order=hosting_order_obj.id if hosting_order_obj else 'None' + "User {user} does not have permission on HostingOrder " + "{order_id}. Raising 404 error now.".format( + user=self.request.user.email, + order_id=order_id if hosting_order_obj else 'None' ) ) raise Http404 From 091b277f7df5eb78233099cec2c1c5224dafde69 Mon Sep 17 00:00:00 2001 From: "M.Ravi" Date: Tue, 12 Dec 2017 12:42:40 +0100 Subject: [PATCH 4/8] Correct call to has_perm --- hosting/views.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosting/views.py b/hosting/views.py index c04bcf30..68f55433 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -687,7 +687,9 @@ class OrdersHostingDetailView(LoginRequiredMixin, order_id=order_id )) hosting_order_obj = None - if not self.request.user.has_perm(hosting_order_obj): + if not self.request.user.has_perm( + self.permission_required[0], hosting_order_obj + ): logger.debug( "User {user} does not have permission on HostingOrder " "{order_id}. Raising 404 error now.".format( From 24d85d5086e305d7e4f7ea72185584d08de446f9 Mon Sep 17 00:00:00 2001 From: "M.Ravi" Date: Tue, 12 Dec 2017 15:43:25 +0100 Subject: [PATCH 5/8] Check has_perm only for invoices --- hosting/views.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/hosting/views.py b/hosting/views.py index 68f55433..2166f1dd 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -687,17 +687,6 @@ class OrdersHostingDetailView(LoginRequiredMixin, order_id=order_id )) hosting_order_obj = None - if not self.request.user.has_perm( - self.permission_required[0], hosting_order_obj - ): - logger.debug( - "User {user} does not have permission on HostingOrder " - "{order_id}. Raising 404 error now.".format( - user=self.request.user.email, - order_id=order_id if hosting_order_obj else 'None' - ) - ) - raise Http404 return hosting_order_obj def get_context_data(self, **kwargs): @@ -718,6 +707,17 @@ class OrdersHostingDetailView(LoginRequiredMixin, context['page_header_text'] = _('Confirm Order') else: context['page_header_text'] = _('Invoice') + if not self.request.user.has_perm( + self.permission_required[0], obj + ): + logger.debug( + "User {user} does not have permission on HostingOrder " + "{order_id}. Raising 404 error now.".format( + user=self.request.user.email, + order_id=obj.id if obj else 'None' + ) + ) + raise Http404 if obj is not None: # invoice for previous order From 88afdc1dd1ebeeb7c263975f64a4d74a6c8101f8 Mon Sep 17 00:00:00 2001 From: "M.Ravi" Date: Tue, 12 Dec 2017 16:49:50 +0100 Subject: [PATCH 6/8] Removed unwanted logger debug msg --- hosting/views.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/hosting/views.py b/hosting/views.py index 2166f1dd..978abf28 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -672,11 +672,6 @@ class OrdersHostingDetailView(LoginRequiredMixin, def get_object(self, queryset=None): order_id = self.kwargs.get('pk') - logger.debug( - "Within OrdersHostingDetailView get_object {order_id}".format( - order_id=order_id - ) - ) try: hosting_order_obj = HostingOrder.objects.get(pk=order_id) logger.debug("Found HostingOrder for id {order_id}".format( From 39c4338b4668bbe41c3929e14f15898bb22b79ff Mon Sep 17 00:00:00 2001 From: PCoder Date: Wed, 20 Dec 2017 23:06:30 +0100 Subject: [PATCH 7/8] Update Changelog --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 6b8b1370..d3c2c549 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,7 @@ Next: * #3911: [dcl] Integrate resend activation link into dcl landing payment page * #3972: [hosting] Add ungleich company info to invoice footer + * #3974: [hosting] Improve invoice number: Show 404 for invoice resources that do not belong to the user 1.2.13: 2017-12-09 * [cms] Introduce UngleichHeaderBackgroundImageAndTextSliderPlugin that allows to have scrolling images and texts * [cms] Remove

tag for ungleich cms customer item template From 2308726aaab3ac156dd067ab6b06841e75d09905 Mon Sep 17 00:00:00 2001 From: PCoder Date: Wed, 20 Dec 2017 23:44:30 +0100 Subject: [PATCH 8/8] Add DE translation for 404 page text --- ungleich_page/locale/de/LC_MESSAGES/django.po | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ungleich_page/locale/de/LC_MESSAGES/django.po b/ungleich_page/locale/de/LC_MESSAGES/django.po index 873bb0df..affd285d 100644 --- a/ungleich_page/locale/de/LC_MESSAGES/django.po +++ b/ungleich_page/locale/de/LC_MESSAGES/django.po @@ -22,7 +22,7 @@ msgid "Glasfaser menu" msgstr "" msgid "\"Sorry, we could not find the page you are looking for!\"" -msgstr "" +msgstr "\"Leider konnten wir die von dir gesuchte Seite nicht finden!\"" msgid "Toggle navigation" msgstr "Umschalten"