Prevent information extraction about organization memberships

Check first that the requesting user really has the corresponding rights to play with an organization because doing more checks whose errors can provide information about who is a member of which organization.
pytition · Feb 14, 2023 · 9b36910 · 9b36910
1 parent 1c02fe0
commit 9b36910
Showing 1 changed file with 19 additions and 19 deletions.
diff --git a/pytition/petition/views.py b/pytition/petition/views.py
@@ -893,41 +893,41 @@ def org_set_user_perms(request, orgslugname, user_name):
     """
     pytitionuser = get_session_user(request)
 
-    try:
-        member = PytitionUser.objects.get(user__username=user_name)
-    except PytitionUser.DoesNotExist:
-        messages.error(request, _("User does not exist"))
-        return redirect("org_dashboard", orgslugname)
-
     try:
         org = Organization.objects.get(slugname=orgslugname)
     except Organization.DoesNotExist:
         raise Http404(_("Organization does not exist"))
 
-    if org not in member.organization_set.all():
-        messages.error(request, _("This user is not part of organization \'{orgname}\'".format(orgname=org.name)))
-        return redirect("org_dashboard", org.slugname)
-
-    try:
-        permissions = Permission.objects.get(user=member, organization=org)
-    except Permission.DoesNotExist:
-        messages.error(request, _("Fatal error, this user does not have permissions attached for this organization"))
-        return redirect("org_dashboard", org.slugname)
+    if pytitionuser not in org.members.all():
+        messages.error(request, _("You are not part of this organization"))
+        return redirect("user_dashboard")
 
     try:
         userperms = Permission.objects.get(user=pytitionuser, organization=org)
     except:
         messages.error(request, _("Fatal error, you don't have permissions attached to you for this organization"))
         return redirect("org_dashboard", org.slugname)
 
-    if pytitionuser not in org.members.all():
-        messages.error(request, _("You are not part of this organization"))
-        return redirect("user_dashboard")
-
     if not userperms.can_modify_permissions:
         messages.error(request, _("You are not allowed to modify this organization members' permissions"))
         return redirect("org_edit_user_perms", orgslugname, user_name)
 
+    try:
+        member = PytitionUser.objects.get(user__username=user_name)
+    except PytitionUser.DoesNotExist:
+        messages.error(request, _("User does not exist"))
+        return redirect("org_dashboard", orgslugname)
+
+    if org not in member.organization_set.all():
+        messages.error(request, _("This user is not part of organization \'{orgname}\'".format(orgname=org.name)))
+        return redirect("org_dashboard", org.slugname)
+
+    try:
+        permissions = Permission.objects.get(user=member, organization=org)
+    except Permission.DoesNotExist:
+        messages.error(request, _("Fatal error, this user does not have permissions attached for this organization"))
+        return redirect("org_dashboard", org.slugname)
+
     if request.method == "POST":
         error = False
         post = request.POST