From 9b3691079b1d210531973136e7283c6d499f2470 Mon Sep 17 00:00:00 2001
From: Yann Sionneau <yann@sionneau.net>
Date: Tue, 14 Feb 2023 19:40:12 +0100
Subject: [PATCH] Prevent information extraction about organization memberships

Check first that the requesting user really has the corresponding
rights to play with an organization because doing more checks
whose errors can provide information about who is a member of which
organization.
---
 pytition/petition/views.py | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/pytition/petition/views.py b/pytition/petition/views.py
index 34504e47..974d3bdd 100644
--- a/pytition/petition/views.py
+++ b/pytition/petition/views.py
@@ -893,26 +893,14 @@ def org_set_user_perms(request, orgslugname, user_name):
     """
     pytitionuser = get_session_user(request)
 
-    try:
-        member = PytitionUser.objects.get(user__username=user_name)
-    except PytitionUser.DoesNotExist:
-        messages.error(request, _("User does not exist"))
-        return redirect("org_dashboard", orgslugname)
-
     try:
         org = Organization.objects.get(slugname=orgslugname)
     except Organization.DoesNotExist:
         raise Http404(_("Organization does not exist"))
 
-    if org not in member.organization_set.all():
-        messages.error(request, _("This user is not part of organization \'{orgname}\'".format(orgname=org.name)))
-        return redirect("org_dashboard", org.slugname)
-
-    try:
-        permissions = Permission.objects.get(user=member, organization=org)
-    except Permission.DoesNotExist:
-        messages.error(request, _("Fatal error, this user does not have permissions attached for this organization"))
-        return redirect("org_dashboard", org.slugname)
+    if pytitionuser not in org.members.all():
+        messages.error(request, _("You are not part of this organization"))
+        return redirect("user_dashboard")
 
     try:
         userperms = Permission.objects.get(user=pytitionuser, organization=org)
@@ -920,14 +908,26 @@ def org_set_user_perms(request, orgslugname, user_name):
         messages.error(request, _("Fatal error, you don't have permissions attached to you for this organization"))
         return redirect("org_dashboard", org.slugname)
 
-    if pytitionuser not in org.members.all():
-        messages.error(request, _("You are not part of this organization"))
-        return redirect("user_dashboard")
-
     if not userperms.can_modify_permissions:
         messages.error(request, _("You are not allowed to modify this organization members' permissions"))
         return redirect("org_edit_user_perms", orgslugname, user_name)
 
+    try:
+        member = PytitionUser.objects.get(user__username=user_name)
+    except PytitionUser.DoesNotExist:
+        messages.error(request, _("User does not exist"))
+        return redirect("org_dashboard", orgslugname)
+
+    if org not in member.organization_set.all():
+        messages.error(request, _("This user is not part of organization \'{orgname}\'".format(orgname=org.name)))
+        return redirect("org_dashboard", org.slugname)
+
+    try:
+        permissions = Permission.objects.get(user=member, organization=org)
+    except Permission.DoesNotExist:
+        messages.error(request, _("Fatal error, this user does not have permissions attached for this organization"))
+        return redirect("org_dashboard", org.slugname)
+
     if request.method == "POST":
         error = False
         post = request.POST