Permission fixes (#10713)

Maffooch · web-flow · commit 21eae4f2c2b1 · 2024-08-12T09:15:59.000-05:00
diff --git a/dojo/cred/views.py b/dojo/cred/views.py
@@ -38,7 +38,7 @@ def new_cred(request):
     return render(request, "dojo/new_cred.html", {"tform": tform})
 
 
-@user_is_authorized(Product, Permissions.Product_View, "pid")
+@user_is_authorized(Product, Permissions.Product_Edit, "pid")
 def all_cred_product(request, pid):
     prod = get_object_or_404(Product, id=pid)
     creds = Cred_Mapping.objects.filter(product=prod).order_by("cred_id__name")
diff --git a/dojo/endpoint/views.py b/dojo/endpoint/views.py
@@ -6,6 +6,7 @@
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.admin.utils import NestedObjects
+from django.core.exceptions import PermissionDenied
 from django.db import DEFAULT_DB_ALIAS
 from django.db.models import Count, Q, QuerySet
 from django.http import HttpResponseRedirect
@@ -178,7 +179,7 @@ def view_endpoint_host(request, eid):
     return process_endpoint_view(request, eid, host_view=True)
 
 
-@user_is_authorized(Endpoint, Permissions.Endpoint_View, "eid")
+@user_is_authorized(Endpoint, Permissions.Endpoint_Edit, "eid")
 def edit_endpoint(request, eid):
     endpoint = get_object_or_404(Endpoint, id=eid)
 
@@ -468,6 +469,9 @@ def prefetch_for_endpoints(endpoints):
 
 def migrate_endpoints_view(request):
 
+    if not request.user.is_superuser:
+        raise PermissionDenied
+
     view_name = "Migrate endpoints"
 
     html_log = clean_hosts_run(apps=apps, change=(request.method == "POST"))
