From 85b18ecbfe9effef952c76d5202fee8e3f72e646 Mon Sep 17 00:00:00 2001 From: Lucas Brandstaetter <lucas@brandstaetter.tech> Date: Thu, 5 Dec 2024 00:34:28 +0100 Subject: [PATCH] Fix rights to badges from non public assemblies Badges from non public assemblies should not be accessible by users who are not part of the assembly. --- src/core/models/badges.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/core/models/badges.py b/src/core/models/badges.py index 1417a2d3a..f9e62844f 100644 --- a/src/core/models/badges.py +++ b/src/core/models/badges.py @@ -67,18 +67,20 @@ def get_badge_filename(instance: 'Badge', filename: str): class BadgeManager(ConferenceManagerMixin['Badge']): def apply_public_filter(self, queryset: 'QuerySet[Badge]', member: ConferenceMember | None = None) -> 'QuerySet[Badge]': if member is None: - return queryset.filter(state=Badge.State.PUBLIC) - return queryset.filter(Q(state=Badge.State.PUBLIC) | Q(users__user=member.user)) + return queryset.filter(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) + return queryset.filter(Q(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) | Q(users__user=member.user)) def accessible_by_user(self, user: PlatformUser, conference: Conference, staff_can_manage=True) -> 'QuerySet[Badge]': if user is None or not user.is_authenticated: user = PlatformUser.get_anonymous_user() qs = self.get_queryset() if not user.is_authenticated: - return qs.filter(state=Badge.State.PUBLIC) + return qs.filter(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) manageable = Assembly.objects.manageable_by_user(conference, user=user, staff_can_manage=staff_can_manage) - return qs.filter(Q(state=Badge.State.PUBLIC) | Q(users__user=user) | Q(issuing_assembly__in=manageable)) + return qs.filter( + Q(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) | Q(users__user=user) | Q(issuing_assembly__in=manageable) + ) def get_badge_image_help_text() -> str: -- GitLab