CWE-639 — Broken Object-Level Authorization
File: community/views.py:67-76
validate_obj_owner() silently catches AttributeError when a model lacks an owner field, returning the object without authorization:
def validate_obj_owner(obj, user):
try:
if not obj.owner == user:
raise Http404()
except AttributeError:
pass # ← bypasses check
return obj
Impact: Company model has no owner field → CompanyUpdateView and CompanyDeleteView (both inherit OwnedObject) allow any authenticated user to edit/delete any company.
Fix:
def validate_obj_owner(obj, user):
if not hasattr(obj, 'owner'):
raise Http404()
if obj.owner != user:
raise Http404()
return obj
Reporter: Juan Lucas Armendares — Sunplace Solutions
CWE-639 — Broken Object-Level Authorization
File:
community/views.py:67-76validate_obj_owner()silently catchesAttributeErrorwhen a model lacks anownerfield, returning the object without authorization:Impact:
Companymodel has noownerfield →CompanyUpdateViewandCompanyDeleteView(both inheritOwnedObject) allow any authenticated user to edit/delete any company.Fix:
Reporter: Juan Lucas Armendares — Sunplace Solutions