FIX SECURITY ISSUE - user details were sending HASHED password to fro…

…nt end.
nearbeach · Oct 20, 2021 · 4567b3f · 4567b3f
1 parent b6f4ff0
commit 4567b3f
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 14 deletions.
diff --git a/NearBeach/static/NearBeach/NearBeach.min.js b/NearBeach/static/NearBeach/NearBeach.min.js
diff --git a/NearBeach/static/NearBeach/NearBeach.min.js.gz b/NearBeach/static/NearBeach/NearBeach.min.js.gz
diff --git a/NearBeach/tests/test_object_data.py b/NearBeach/tests/test_object_data.py
@@ -0,0 +1,56 @@
+from django.contrib.auth.models import User
+from django.test import TestCase, Client
+from django.urls import reverse
+
+from NearBeach.views.search_views import search
+
+# Declaration of Username and Password
+username = 'team_leader'
+password = 'Test1234$'
+long_string = """
+    There once was a cat called Socks, she liked to eat treats whilst on stream. People liked to feed her treats because
+    she was adoriable. Currently she is licking my arm, I think because she enjoyed the treats she got on stream. Socks
+    does like to every now and then meow into the microphone.
+"""
+
+
+def login_user(c: object, self: object) -> object:
+    response = c.post(
+        reverse('login'),
+        self.credentials,
+        follow=True,
+    )
+    self.assertTrue(response.context['user'].is_active)
+
+
+class TestObjectData(TestCase):
+    fixtures = ['NearBeach_basic_setup.json']
+
+    def setUp(self):
+        self.credentials = {
+            'username': username,
+            'password': password
+        }
+
+    def test_incorrect_location_data(self):
+        c = Client()
+
+        # User wil be logged in
+        login_user(c, self)
+
+        # Get data of wrong location
+        response = c.post(reverse('associated_objects', args=['taks', 1]))
+        self.assertEqual(response.status_code, 200)
+        print("\n\n")
+        print(response.content)
+        print("\n\n")
+
+    def test_team_leader_searches(self):
+        c = Client()
+
+        # User will be logged in
+        login_user(c, self)
+
+        # Go to an existing customer -> user should have access
+        response = c.get(reverse('search'))
+        self.assertEqual(response.status_code, 200)
diff --git a/NearBeach/views/object_data_views.py b/NearBeach/views/object_data_views.py
@@ -16,6 +16,18 @@
 import urllib
 import urllib3
 
+OBJECT_ARRAY = [
+    'customer',
+    'kanban',
+    'requirement',
+    'requirement_item',
+    'request_for_change',
+    'organisation',
+    'project',
+    'task',
+]
+
+
 @require_http_methods(['POST'])
 @login_required(login_url='login', redirect_field_name="")
 def add_bug(request, destination, location_id):
@@ -316,6 +328,9 @@ def associated_objects(request, destination, location_id):
     if destination == 'organisation':
         return associated_objects_organisations(location_id)
 
+    if not destination in OBJECT_ARRAY:
+        return HttpResponseBadRequest("Object does not exist")
+
     # Get the data
     object_assignment_results = object_assignment.objects.filter(
         is_deleted=False,
@@ -613,6 +628,12 @@ def get_user_list_all(destination, location_id):
             group_id__in=group_results.values('group_id'),
         ).values('username_id'),
         is_active=True,
+    ).values(
+        'id',
+        'username',
+        'first_name',
+        'last_name',
+        'email',
     ).exclude(
         id__in=object_results.values('assigned_user_id')
     )
@@ -935,4 +956,7 @@ def user_list_all(request, destination, location_id):
     # Get Data we want
     user_results = get_user_list_all(destination, location_id)
 
-    return HttpResponse(serializers.serialize('json', user_results), content_type='application/json')
+    # Send back json data
+    json_results = json.dumps(list(user_results), cls=DjangoJSONEncoder)
+
+    return HttpResponse(json_results, content_type='application/json')
diff --git a/src/js/components/modules/wizards/AddUserWizard.vue b/src/js/components/modules/wizards/AddUserWizard.vue
@@ -130,18 +130,11 @@
                     `/object_data/${this.destination}/${this.locationId}/user_list_all/`,
                 ).then(response => {
                     //Clear the user fix list
-                    this.userFixList = [];
-
-                    //Loop through the response data and add each result to the userFixList
-                    response['data'].forEach(row => {
-                        //Construct object array
-                        var construction_object = {
-                            'value': row['pk'],
-                            'label': `${row['fields']['username']}: ${row['fields']['first_name']} ${row['fields']['last_name']}`
-                        };
-
-                        //Push the changes
-                        this.userFixList.push(construction_object);
+                    this.userFixList = response['data'].map(row => {
+                        return {
+                            'value': row['id'],
+                            'label': `${row['username']}: ${row['first_name']} ${row['last_name']}`
+                        }
                     });
                 });
             }