zcdsj
/
Recruitment_site
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: prevent IDOR in application status update endpoint 

Replace class-level queryset attribute with get_queryset() method that
scopes Application objects to the requesting admin's organization,
preventing regular admins from modifying applications belonging to
other organizations via pk enumeration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
TianyangZhang 2026-03-25 08:31:31 +08:00
parent 0ccd943255
commit 619ca19f87
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
offer_backend/apps/applications/views.py
View File

@ -31,7 +31,12 @@ class ApplicationManageViewSet(viewsets.ReadOnlyModelViewSet):
class ApplicationStatusUpdateView(generics.UpdateAPIView): class ApplicationStatusUpdateView(generics.UpdateAPIView):
serializer_class = ApplicationStatusSerializer serializer_class = ApplicationStatusSerializer
permission_classes = [IsAdminOrSuperAdmin] permission_classes = [IsAdminOrSuperAdmin]
queryset = Application.objects.all()
def get_queryset(self):
user = self.request.user
if user.is_superadmin:
return Application.objects.all()
return Application.objects.filter(job__organization=user.organization)
def perform_update(self, serializer): def perform_update(self, serializer):
instance = serializer.save() instance = serializer.save()