Prevent privilege escalation

2019-01-17 09:52:38 +01:00 · 2019-01-17 09:52:38 +01:00 · 51eb63bed7
commit 51eb63bed7
parent edcf42eff7
2 changed files with 13 additions and 1 deletions
--- a/manager/templates/manager/edituser.html
+++ b/manager/templates/manager/edituser.html
@ -26,6 +26,12 @@
   <label class="form-check-label" for="staff">Grant special privileges to user</label>
  </div>
  {% endif %}
+  {% if user.is_superuser %}
+  <div class="form-group form-check">
+   <input class="form-check-input" type="checkbox" value="True" {% if auser.is_superuser %} checked {% endif %} id="superuser" name="superuser">
+   <label class="form-check-label" for="superuser">Grant superuser privileges to user</label>
+  </div>
+  {% endif %}
  <input hidden value="sent" name="form"/>

  <button type="submit" class="btn btn-success">Apply Changes</button>
--- a/manager/views.py
+++ b/manager/views.py
@ -334,7 +334,13 @@ def edituser(request, user_id):
       if request.POST.get("form", ""):
           user[0].first_name = request.POST.get("firstname", "")
           user[0].last_name = request.POST.get("lastname", "")
-           user[0].is_staff = True if request.POST.get("staff", "0") == "True" else False
+
+           if request.user.is_staff or request.user.is_superuser:
+               user[0].is_staff = True if request.POST.get("staff", "0") == "True" else False
+
+           if request.user.is_superuser:
+               user[0].is_superuser = True if request.POST.get("superuser", "0") == "True" else False
+
           user[0].email = request.POST.get("email", "")
           user[0].save()