From e2d2d2cc99478106f42bc1a573da0919428c5479 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <yohann.danello@gmail.com>
Date: Fri, 20 Mar 2020 18:22:20 +0100
Subject: [PATCH] Anonymous users have no right

---
 apps/permission/backends.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/apps/permission/backends.py b/apps/permission/backends.py
index 3d911b1a..e61b0719 100644
--- a/apps/permission/backends.py
+++ b/apps/permission/backends.py
@@ -2,15 +2,15 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from django.contrib.auth.backends import ModelBackend
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, AnonymousUser
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import Q, F
 from note.models import Note, NoteUser, NoteClub, NoteSpecial
 from note_kfet.middlewares import get_current_session
-from permission.models import Permission
-
 from member.models import Membership, Club
 
+from .models import Permission
+
 
 class PermissionBackend(ModelBackend):
     """
@@ -66,6 +66,10 @@ class PermissionBackend(ModelBackend):
         :return: A query that corresponds to the filter to give to a queryset
         """
 
+        if user is None or isinstance(user, AnonymousUser):
+            # Anonymous users can't do anything
+            return Q(pk=-1)
+
         if user.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
             # Superusers have all rights
             return Q()
@@ -86,6 +90,9 @@ class PermissionBackend(ModelBackend):
         return query
 
     def has_perm(self, user_obj, perm, obj=None):
+        if user_obj is None or isinstance(user_obj, AnonymousUser):
+            return False
+
         if user_obj.is_superuser and get_current_session().get("permission_mask", 0) >= 42:
             return True
 
-- 
GitLab