Description
Function Level Access Control is a concept where web functions or calls are properly protected against unauthorized access by making the appropriate checks against the requestee. Missing Function Level Access Control results when an application does not properly protect these paths. Such vulnerabilites can be easy to overlook for a developer (as they are often as simple as a missed check) but are also easy to exploit and detect for an attacker. By changing a parameter in the URL, a vulnerable function has no protection against a hacker.
Remember that any code executing on the client cannot be trusted to protect such paths - always be sure to double check user authorization on the server!
def manage_groups(request):
user = request.user
if user.is_authenticated():
user_list = User.objects.order_by('date_joined')
if request.method == 'POST':
post_data = request.POST.dict()
accesslevel = post_data["accesslevel"].strip()
if accesslevel in ['admin_g', 'project_managers', 'team_member']:
try:
grp = Group.objects.get(name=accesslevel)
except:
grp = Group.objects.create(name=accesslevel)
user = User.objects.get(pk=post_data["userid"])
# Check if the user even exists
if user == None:
return redirect('/taskManager/', {'permission':False})
user.groups.add(grp)
user.save()
return render_to_response('taskManager/manage_groups.html',
{'users':user_list, 'groups_changed': True, 'logged_in':True}, RequestContext(request))
else:
return render_to_response('taskManager/manage_groups.html',
{'users':user_list, 'logged_in':True}, RequestContext(request))
else:
if user.has_perm('can_change_group'):
return render_to_response('taskManager/manage_groups.html',
{'users':user_list, 'logged_in':True}, RequestContext(request))
else:
return redirect('/taskManager/', {'permission':False})
else:
redirect('/taskManager/', {'logged_in':False})