Merge pull request from GHSA-4884-3gvp-3wj2

* security fix: added permission check for the view page of editing an invoice * Version updated from 0.4.5 to 0.4.6 Signed-off-by: Trey <[email protected]> --------- Signed-off-by: Trey <[email protected]>
TreyWW · Jun 14, 2024 · 2c1e6d5 · 2c1e6d5
1 parent a5e363c
commit 2c1e6d5
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 11 deletions.
diff --git a/backend/__init__.py b/backend/__init__.py
@@ -1 +1 @@
-__version__ = "0.4.5"
+__version__ = "0.4.6"
diff --git a/backend/views/core/invoices/edit.py b/backend/views/core/invoices/edit.py
@@ -2,7 +2,8 @@
 
 from django.contrib import messages
 from django.http import JsonResponse
-from django.shortcuts import render
+from django.http.response import HttpResponse
+from django.shortcuts import render, redirect
 from django.views.decorators.http import require_http_methods
 
 from backend.models import Invoice, Client, InvoiceItem
@@ -56,8 +57,13 @@ def invoice_get_existing_data(invoice_obj):
 def invoice_edit_page_get(request, invoice_id):
     try:
         invoice = Invoice.objects.get(id=invoice_id)
+
+        if not invoice.has_access(request.user):
+            messages.error(request, "You are not permitted to edit this invoice")
+            return redirect("invoices:dashboard")
     except Invoice.DoesNotExist:
-        return JsonResponse({"message": "Invoice not found"}, status=404)
+        messages.error(request, "Invoice not found")
+        return redirect("invoices:dashboard")
 
     # use to populate fields with existing data in edit_from_destination.html AND edit_to_destination.html
     data_to_populate = invoice_get_existing_data(invoice)
@@ -72,12 +78,7 @@ def edit_invoice(request: HtmxHttpRequest, invoice_id):
     except Invoice.DoesNotExist:
         return JsonResponse({"message": "Invoice not found"}, status=404)
 
-    if request.user.logged_in_as_team and request.user.logged_in_as_team != invoice.organization:
-        return JsonResponse(
-            {"message": "You do not have permission to edit this invoice"},
-            status=403,
-        )
-    elif request.user != invoice.user:
+    if not invoice.has_access(request.user):
         return JsonResponse(
             {"message": "You do not have permission to edit this invoice"},
             status=403,

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "MyFinances"
-version = "0.4.5"
+version = "0.4.6"
 description = "github.com/TreyWW/MyFinances"
 authors = ["TreyWW"]
 readme = "README.md"
@@ -94,7 +94,7 @@ requires = ["poetry-core"]
 build-backend = "poetry.core.masonry.api"
 
 [tool.bumpversion]
-current_version = "0.4.5"
+current_version = "0.4.6"
 commit = true
 commit_args = "-s"
 tag = true