fix: add access control check for draft events #7367

manav1403 · 2020-10-20T05:18:29Z

Short description of what this resolves:

Earlier the events with status Draft were visible to any user at the event details endpoint using the id.
The expected behavior was that only admin and registrars should be able to see the drafted events only.

Changes proposed in this pull request:

Added check for requesting user whether he/she is a registrar or not

Checklist

I have read the Contribution & Best practices Guide and my PR follows them.
My branch is up-to-date with the Upstream development branch.
The unit tests pass locally with my changes
I have added tests that prove my fix is effective or that my feature works
I have added necessary documentation (if appropriate)

All the functions created/modified in this PR contain relevant docstrings.

codecov · 2020-10-20T05:41:29Z

Codecov Report

Merging #7367 into development will increase coverage by 0.04%.
The diff coverage is 100.00%.

@@               Coverage Diff               @@
##           development    #7367      +/-   ##
===============================================
+ Coverage        64.18%   64.23%   +0.04%     
===============================================
  Files              259      259              
  Lines            13126    13130       +4     
===============================================
+ Hits              8425     8434       +9     
+ Misses            4701     4696       -5

Impacted Files	Coverage Δ
app/api/events.py	`38.91% <100.00%> (+1.60%)`	⬆️
app/models/event.py	`78.73% <100.00%> (ø)`
app/api/helpers/permission_manager.py	`61.48% <0.00%> (+0.33%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 94182b0...76b7c13. Read the comment docs.

iamareebjamal · 2020-10-20T07:01:56Z

app/api/events.py

+            if 'Authorization' not in request.headers and not has_access(
+                'is_registrar', event_id=event.id
+            ):
+                view_kwargs['id'] = None


Use after get object

made changes @iamareebjamal pls review

iamareebjamal · 2020-10-20T10:07:54Z

app/api/events.py

@@ -659,6 +659,13 @@ def before_get_object(self, view_kwargs):
            else:
                view_kwargs['id'] = None

+    def after_get_object(self, event, view_kwargs):
+        if event.state == 'Draft':


There is no Draft state in the event

The default state is this only..

open-event-server/app/models/event.py

Line 76 in 27588e5

state = db.Column(db.String, default="Draft")

@iamareebjamal changing to

Suggested change

if event.state == 'Draft':

if event.state == 'draft':

is causing logic to fail and I found that it's because "state": "Draft" in response
** I have created the event using the default configurations

+-----------+---------+ | state | count | |-----------+---------| | draft | 664 | | published | 528 | +-----------+---------+

Production DB

The default state is this only..

open-event-server/app/models/event.py

Line 76 in 27588e5

state = db.Column(db.String, default="Draft")

Change it here as well

app/api/events.py

Co-authored-by: Areeb Jamal <[email protected]>

… into patch1

manav1403 · 2020-10-20T14:43:58Z

made changes @iamareebjamal pls review

iamareebjamal · 2020-10-20T19:06:28Z

app/api/events.py

@@ -659,6 +659,13 @@ def before_get_object(self, view_kwargs):
            else:
                view_kwargs['id'] = None

+    def after_get_object(self, event, view_kwargs):
+        if event.state == "draft":
+            if 'Authorization' not in request.headers and not has_access(


This should be or

iamareebjamal · 2020-10-20T19:15:50Z

Great. Now please add unit tests for the conditions

Unauthenticated user cannot access draft event
Normal user cannot access draft event
Event owner can access draft event
Admin can access draft event

iamareebjamal · 2020-10-20T19:17:11Z

Check this file for reference https://github.com/fossasia/open-event-server/pull/7360/files#diff-2a313974a7aa182365db51b0d3ebdaa7924c91318a741c8237510c3efe1edd06

houndci-bot · 2020-10-20T22:04:59Z