Fully validate fields when using multi-assign

Previously there was a way for an admin to inject modifications of
fields that shoulnd't be there, by manipulating the POST. Only admins,
but nevertheless it should be validated - and now also gives a correct
error message instead of a crash...

1 files changed, 9 insertions, 3 deletions

diff --git a/postgresqleu/util/backendviews.py b/postgresqleu/util/backendviews.py
index cec94af0..9d51e9e3 100644
--- a/postgresqleu/util/backendviews.py
+++ b/postgresqleu/util/backendviews.py
@@ -259,13 +259,19 @@ def backend_list_editor(request, urlname, formclass, resturl, allow_new=True, al
         if request.method == "POST":
             if request.POST.get('operation') == 'assign':
                 what = request.POST.get('what')
+
+                # Validate this is a field we're allowed to edit
+                if what not in formclass.Meta.fields:
+                    # Trying to update invalid field!
+                    raise Http404('Invalid field')
+                if what not in (f['name'] for f in formclass.get_assignable_columns(conference)):
+                    raise PermissionDenied()
+
                 related = formclass.Meta.model._meta.get_field(what).related_model
                 setval = request.POST.get('assignid')
                 if setval:
                     setval = int(setval)
-                if what not in formclass.Meta.fields:
-                    # Trying to update invalid field!
-                    raise PermissionDenied()
+
                 with transaction.atomic():
                     for obj in objects.filter(id__in=request.POST.get('idlist').split(',')):
                         if isinstance(getattr(obj, what), bool):