Fix security vulnerability for Hub API

qgis · Nov 21, 2024 · 7882b76 · 7882b76
1 parent 320e56f
commit 7882b76
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/qgis-app/api/views.py b/qgis-app/api/views.py
@@ -422,7 +422,7 @@ def get(self, request, *args, **kwargs):
         object = _get_resource_object(uuid, resource_type)
         if object is None:
             raise Http404
-        if not object.creator.is_staff and object.creator != request.user:
+        if not request.user.is_superuser and object.creator != request.user:
             return Response(
                 {"detail": "You do not have permission to perform this action."},
                 status=status.HTTP_403_FORBIDDEN,
@@ -436,7 +436,7 @@ def put(self, request, *args, **kwargs):
         object = _get_resource_object(uuid, resource_type)
         if object is None:
             raise Http404
-        if not object.creator.is_staff and object.creator != request.user:
+        if not request.user.is_superuser and object.creator != request.user:
             return Response(
                 {"detail": "You do not have permission to perform this action."},
                 status=status.HTTP_403_FORBIDDEN,
@@ -453,7 +453,7 @@ def delete(self, request, *args, **kwargs):
         object = _get_resource_object(uuid, resource_type)
         if object is None:
             raise Http404
-        if not object.creator.is_staff and object.creator != request.user:
+        if not request.user.is_superuser and object.creator != request.user:
             return Response(
                 {"detail": "You do not have permission to perform this action."},
                 status=status.HTTP_403_FORBIDDEN,