projects
/
cascardo
/
ipsilon.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(from parent 1:
39783cb
)
Add check for permissions on deleting a SAML2 Service Provider
author
Patrick Uiterwijk
<puiterwijk@redhat.com>
Mon, 12 Oct 2015 16:53:52 +0000
(18:53 +0200)
committer
Patrick Uiterwijk
<puiterwijk@redhat.com>
Wed, 14 Oct 2015 13:31:48 +0000
(15:31 +0200)
Fixes: #194
Fixes: CVE-2015-5301
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
ipsilon/providers/saml2/admin.py
patch
|
blob
|
history
diff --git
a/ipsilon/providers/saml2/admin.py
b/ipsilon/providers/saml2/admin.py
index
9d06be1
..
c7a0289
100644
(file)
--- a/
ipsilon/providers/saml2/admin.py
+++ b/
ipsilon/providers/saml2/admin.py
@@
-307,6
+307,9
@@
class SPAdminPage(AdminPage):
message_type=message_type)
def delete(self):
+ if (not self.user.is_admin and
+ self.user.name != self.sp.owner):
+ raise cherrypy.HTTPError(403)
self.parent.del_sp(self.sp.name)
self.sp.permanently_delete()
return self.parent.root()