docker/mailu
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Do not leak information about existing domains or users

Browse Source
This commit is contained in:
Pierre Jaury
2016-09-13 20:59:25 +02:00
parent dcda715382
commit 525089a531
1 changed files with 2 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
admin/freeposte/admin/access.py
View File

@@ -56,9 +56,7 @@ def domain_admin(args, kwargs, model, key):
``domain`` attribute which stores a related Domain instance). ``domain`` attribute which stores a related Domain instance).
""" """
obj = model.query.get(kwargs[key]) obj = model.query.get(kwargs[key])
if not obj: if obj:
flask.abort(404)
else:
domain = obj if type(obj) is models.Domain else obj.domain domain = obj if type(obj) is models.Domain else obj.domain
return domain in flask_login.current_user.get_managed_domains() return domain in flask_login.current_user.get_managed_domains()
@@ -79,9 +77,7 @@ def owner(args, kwargs, model, key):
if kwargs[key] is None and model == models.User: if kwargs[key] is None and model == models.User:
return True return True
obj = model.query.get(kwargs[key]) obj = model.query.get(kwargs[key])
if not obj: if obj:
flask.abort(404)
else:
user = obj if type(obj) is models.User else obj.user user = obj if type(obj) is models.User else obj.user
return ( return (
user.email == flask_login.current_user.email user.email == flask_login.current_user.email