Fix security hole in commentary vetting

d0b94ffd · Jorran de Wit · a553c416 · d0b94ffd · d0b94ffd
Commit d0b94ffd authored 7 years ago by Jorran de Wit
--- a/commentaries/views.py
+++ b/commentaries/views.py
@@ -106,7 +106,8 @@ def prefill_using_arxiv_identifier(request):
 def vet_commentary_requests(request):
    """Show the first commentary thats awaiting vetting"""
    contributor = Contributor.objects.get(user=request.user)
-    commentary_to_vet = Commentary.objects.awaiting_vetting().first()  # only handle one at a time
+    commentary_to_vet = (Commentary.objects.awaiting_vetting()
+                         .exclude(requested_by=contributor).first())  # only handle one at a time
    form = VetCommentaryForm()
    context = {'contributor': contributor, 'commentary_to_vet': commentary_to_vet, 'form': form}
    return render(request, 'commentaries/vet_commentary_requests.html', context)
@@ -114,50 +115,54 @@ def vet_commentary_requests(request):
 @permission_required('scipost.can_vet_commentary_requests', raise_exception=True)
 def vet_commentary_request_ack(request, commentary_id):
-    if request.method == 'POST':
+    # Security fix: Smart asses can vet their own commentary without this line.
-        form = VetCommentaryForm(request.POST, user=request.user, commentary_id=commentary_id)
+    #               Commentary itself not really being used.
-        if form.is_valid():
+    get_object_or_404((Commentary.objects.awaiting_vetting()
-            # Get commentary
+                       .exclude(requested_by=request.user.contributor)), id=commentary_id)
-            commentary = form.get_commentary()
-            email_context = {
+    form = VetCommentaryForm(request.POST or None, user=request.user, commentary_id=commentary_id)
-                'commentary': commentary
+    if form.is_valid():
-            }
+        # Get commentary
+        commentary = form.get_commentary()
-            # Retrieve email_template for action
+        email_context = {
-            if form.commentary_is_accepted():
+            'commentary': commentary
-                email_template = 'commentaries/vet_commentary_email_accepted.html'
+        }
-            elif form.commentary_is_modified():
-                email_template = 'commentaries/vet_commentary_email_modified.html'
+        # Retrieve email_template for action
+        if form.commentary_is_accepted():
-                request_commentary_form = RequestCommentaryForm(initial={
+            email_template = 'commentaries/vet_commentary_email_accepted.html'
-                    'pub_title': commentary.pub_title,
+        elif form.commentary_is_modified():
-                    'arxiv_link': commentary.arxiv_link,
+            email_template = 'commentaries/vet_commentary_email_modified.html'
-                    'pub_DOI_link': commentary.pub_DOI_link,
-                    'author_list': commentary.author_list,
+            request_commentary_form = RequestCommentaryForm(initial={
-                    'pub_date': commentary.pub_date,
+                'pub_title': commentary.pub_title,
-                    'pub_abstract': commentary.pub_abstract
+                'arxiv_link': commentary.arxiv_link,
-                })
+                'pub_DOI_link': commentary.pub_DOI_link,
-            elif form.commentary_is_refused():
+                'author_list': commentary.author_list,
-                email_template = 'commentaries/vet_commentary_email_rejected.html'
+                'pub_date': commentary.pub_date,
-                email_context['refusal_reason'] = form.get_refusal_reason()
+                'pub_abstract': commentary.pub_abstract
-                email_context['further_explanation'] = form.cleaned_data['email_response_field']
+            })
+        elif form.commentary_is_refused():
-            # Send email and process form
+            email_template = 'commentaries/vet_commentary_email_rejected.html'
-            email_text = render_to_string(email_template, email_context)
+            email_context['refusal_reason'] = form.get_refusal_reason()
-            email_args = (
+            email_context['further_explanation'] = form.cleaned_data['email_response_field']
-                'SciPost Commentary Page activated',
-                email_text,
+        # Send email and process form
-                commentary.requested_by.user.email,
+        email_text = render_to_string(email_template, email_context)
-                ['commentaries@scipost.org']
+        email_args = (
-            )
+            'SciPost Commentary Page activated',
-            emailmessage = EmailMessage(*email_args, reply_to=['commentaries@scipost.org'])
+            email_text,
-            emailmessage.send(fail_silently=False)
+            commentary.requested_by.user.email,
-            commentary = form.process_commentary()
+            ['commentaries@scipost.org']
+        )
-            # For a modified commentary, redirect to request_commentary_form
+        emailmessage = EmailMessage(*email_args, reply_to=['commentaries@scipost.org'])
-            if form.commentary_is_modified():
+        emailmessage.send(fail_silently=False)
-                context = {'form': request_commentary_form}
+        commentary = form.process_commentary()
-                return render(request, 'commentaries/request_commentary.html', context)
+        # For a modified commentary, redirect to request_commentary_form
+        if form.commentary_is_modified():
+            context = {'form': request_commentary_form}
+            return render(request, 'commentaries/request_commentary.html', context)
    context = {'ack_header': 'SciPost Commentary request vetted.',
               'followup_message': 'Return to the ',
@@ -206,9 +211,8 @@ class CommentaryListView(ListView):
 def commentary_detail(request, arxiv_or_DOI_string):
-    commentary = get_object_or_404(Commentary, arxiv_or_DOI_string=arxiv_or_DOI_string)
+    commentary = get_object_or_404(Commentary.objects.vetted(),
-    if not commentary.vetted:
+                                   arxiv_or_DOI_string=arxiv_or_DOI_string)
-        raise Http404
    comments = commentary.comment_set.all()
    form = CommentForm()

--- a/scipost/views.py
+++ b/scipost/views.py
@@ -813,7 +813,8 @@ def personal_page(request):
    nr_thesislink_requests_to_vet = 0
    nr_authorship_claims_to_vet = 0
    if contributor.is_VE():
-        nr_commentary_page_requests_to_vet = Commentary.objects.filter(vetted=False).count()
+        nr_commentary_page_requests_to_vet = (Commentary.objects.awaiting_vetting()
+                                              .exclude(requested_by=contributor).count())
        nr_comments_to_vet = Comment.objects.filter(status=0).count()
        nr_thesislink_requests_to_vet = ThesisLink.objects.filter(vetted=False).count()
        nr_authorship_claims_to_vet = AuthorshipClaim.objects.filter(status='0').count()