Skip to content

IsAdminUser class allows users without authentication to access objects (security issue) #7720

New issue
New issue
Closed
Closed
IsAdminUser class allows users without authentication to access objects (security issue)#7720
@LitvK

Description

@LitvK
LitvK
opened on Feb 19, 2021

Checklist

  • I have verified that that issue exists against the master branch of Django REST framework.
  • I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
  • This is not a usage question. (Those should be directed to the discussion group instead.)
  • This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
  • I have reduced the issue to the simplest possible case.
  • I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

Create a simple view with such code:

from rest_framework_simplejwt.authentication import JWTAuthentication
from rest_framework import permissions, generics

class MyCustomPermission(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        return False

class PartDetailView(generics.RetrieveAPIView):
    permission_classes = (permissions.IsAdminUser | MyCustomPermission,)
    authentication_classes = (JWTAuthentication,)
    queryset = Part.objects.all()
    serializer_class = PartSerializer

Try to open this view not using authentication at all (without authentication token).

Expected behavior

Framework should deny such request, because user is not authenticated and framework isn't able to check if he Admin or not.

Actual behavior

But it will return requested object to user without authentication because of this:

class BasePermission(metaclass=BasePermissionMetaclass):
    """
    A base class from which all permission classes should inherit.
    """

    def has_permission(self, request, view):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        return True

    def has_object_permission(self, request, view, obj):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        return True

class IsAdminUser(BasePermission):
    """
    Allows access only to admin users.
    """

    def has_permission(self, request, view):
        return bool(request.user and request.user.is_staff)

IsAdminUser always returns True on has_object_permission.

Actually it works as intended after I added

    def has_permission(self, request, view):
        return

into MyCustomPermission. Maybe BasePermission shouldn't return True at every request?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions