From 04cc11f6d5b8e911586d5076abbc026c755a65e3 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sat, 8 Nov 2014 17:14:46 +0100
Subject: [PATCH] forward port security fix from 0.9.1, fixes #177

---
 CHANGES.rst                                   |  8 ++++++
 .../templates/main/related_host_overview.html |  6 ++--
 nsupdate/main/views.py                        | 28 ++++++++++++-------
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index cb31083..c64856a 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -27,6 +27,14 @@ Other changes:
 * misc. layout / UI improvments
 
 
+Release 0.9.1
+-------------
+
+Fixes:
+
+* fix security issue with "related hosts" / "service updaters", fixes #177
+
+
 Release 0.9.0
 -------------
 
diff --git a/nsupdate/main/templates/main/related_host_overview.html b/nsupdate/main/templates/main/related_host_overview.html
index 79632a4..75acfcb 100644
--- a/nsupdate/main/templates/main/related_host_overview.html
+++ b/nsupdate/main/templates/main/related_host_overview.html
@@ -5,10 +5,10 @@
     <div class="row">
         <div class="col-lg-12">
             <h3>{% trans "Related hosts" %}
-                <a href="{% url 'add_related_host' mpk %}" class="btn btn-primary btn-sm">{% trans "Add related host" %}</a>
+                <a href="{% url 'add_related_host' main_host.pk %}" class="btn btn-primary btn-sm">{% trans "Add related host" %}</a>
             </h3>
             <p>
-                {% trans "Main host:" %} <a href="{% url 'host_view' mpk %}">{{ main_host.get_fqdn }}</a>
+                {% trans "Main host:" %} <a href="{% url 'host_view' main_host.pk %}">{{ main_host.get_fqdn }}</a>
             </p>
             <table class="table">
             <thead>
@@ -34,7 +34,7 @@
             {% for rh in related_hosts %}
                 <tr>
                     <td>
-                        <a href="{% url 'related_host_view' mpk rh.pk %}">{{ rh }}</a>
+                        <a href="{% url 'related_host_view' main_host.pk rh.pk %}">{{ rh }}</a>
                         <br>
                         {{ rh.comment }}
                     </td>
diff --git a/nsupdate/main/views.py b/nsupdate/main/views.py
index 953e9eb..16ad6fc 100644
--- a/nsupdate/main/views.py
+++ b/nsupdate/main/views.py
@@ -300,14 +300,17 @@ class RelatedHostOverviewView(TemplateView):
 
     @method_decorator(login_required)
     def dispatch(self, *args, **kwargs):
+        try:
+            self.__main_host = Host.objects.get(pk=kwargs.pop('mpk', None), created_by=self.request.user)
+        except Host.DoesNotExist:
+            raise PermissionDenied()  # or Http404
         return super(RelatedHostOverviewView, self).dispatch(*args, **kwargs)
 
     def get_context_data(self, *args, **kwargs):
         context = super(RelatedHostOverviewView, self).get_context_data(*args, **kwargs)
         context['nav_overview'] = True
-        mpk = kwargs.get('mpk')
-        context['main_host'] = Host.objects.get(pk=mpk)
-        context['related_hosts'] = RelatedHost.objects.filter(main_host=mpk)
+        context['main_host'] = self.__main_host
+        context['related_hosts'] = RelatedHost.objects.filter(main_host=self.__main_host)
         return context
 
 
@@ -318,7 +321,10 @@ class AddRelatedHostView(CreateView):
 
     @method_decorator(login_required)
     def dispatch(self, *args, **kwargs):
-        self.__main_host_pk = kwargs.pop('mpk')
+        try:
+            self.__main_host = Host.objects.get(pk=kwargs.pop('mpk', None), created_by=self.request.user)
+        except Host.DoesNotExist:
+            raise PermissionDenied()  # or Http404
         return super(AddRelatedHostView, self).dispatch(*args, **kwargs)
 
     def get_success_url(self):
@@ -330,7 +336,7 @@ class AddRelatedHostView(CreateView):
 
     def form_valid(self, form):
         self.object = form.save(commit=False)
-        self.object.main_host = Host(pk=self.__main_host_pk)
+        self.object.main_host = self.__main_host
         self.object.save()
         success, level, msg = True, messages.SUCCESS, 'Related host added.'
         messages.add_message(self.request, level, msg)
@@ -481,15 +487,18 @@ class UpdaterHostConfigOverviewView(CreateView):
 
     @method_decorator(login_required)
     def dispatch(self, *args, **kwargs):
-        self.__host_pk = kwargs.pop('pk', None)
+        try:
+            self.__host = Host.objects.get(pk=kwargs.pop('pk', None), created_by=self.request.user)
+        except Host.DoesNotExist:
+            raise PermissionDenied()  # or Http404
         return super(UpdaterHostConfigOverviewView, self).dispatch(*args, **kwargs)
 
     def get_success_url(self):
-        return reverse('updater_hostconfig_overview', args=(self.__host_pk,))
+        return reverse('updater_hostconfig_overview', args=(self.__host.pk, ))
 
     def form_valid(self, form):
         self.object = form.save(commit=False)
-        self.object.host = Host(pk=self.__host_pk)
+        self.object.host = self.__host
         self.object.created_by = self.request.user
         self.object.save()
         messages.add_message(self.request, messages.SUCCESS, 'Service Updater Host Configuration added.')
@@ -498,8 +507,7 @@ class UpdaterHostConfigOverviewView(CreateView):
     def get_context_data(self, *args, **kwargs):
         context = super(
             UpdaterHostConfigOverviewView, self).get_context_data(*args, **kwargs)
-        context['updater_configs'] = ServiceUpdaterHostConfig.objects.filter(
-            host=self.__host_pk)
+        context['updater_configs'] = ServiceUpdaterHostConfig.objects.filter(host=self.__host)
         return context