From 7b3fcd17eaa8a67937c0baa2c46a36e1140c5209 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Mon, 9 May 2016 12:07:30 +0200 Subject: [PATCH] Check user permission before delete or resize Else a user without these permission could delete or resize and instance by forging a good post request. --- instances/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/instances/views.py b/instances/views.py index 0109631..e19c632 100644 --- a/instances/views.py +++ b/instances/views.py @@ -260,7 +260,7 @@ def instance(request, compute_id, vname): addlogmsg(request.user.username, instance.name, msg) return HttpResponseRedirect(request.get_full_path() + '#powerforce') - if 'delete' in request.POST: + if 'delete' in request.POST and (request.user.is_superuser or userinstace.is_delete): if conn.get_status() == 1: conn.force_shutdown() if request.POST.get('delete_disk', ''): @@ -330,7 +330,7 @@ def instance(request, compute_id, vname): msg = _("Please shutdow down your instance and then try again") error_messages.append(msg) - if 'resize' in request.POST: + if 'resize' in request.POST and (request.user.is_superuser or userinstace.is_change): vcpu = request.POST.get('vcpu', '') cur_vcpu = request.POST.get('cur_vcpu', '') memory = request.POST.get('memory', '')