Fixed security bug on users info

2014-10-01 23:49:23 +02:00 · 2014-10-01 23:49:23 +02:00 · 27f12f7be9
parent 20ae48a6b0
commit 27f12f7be9
2 changed files with 2 additions and 3 deletions
--- a/taiga/users/api.py
+++ b/taiga/users/api.py
@ -54,8 +54,7 @@ class MembersFilterBackend(BaseFilterBackend):
                return queryset.filter(Q(memberships__project=project) | Q(id=project.owner.id)).distinct()
            else:
                raise exc.PermissionDenied(_("You don't have permisions to see this project users."))
-        else:
-            return queryset
+        return []


 class UsersViewSet(ModelCrudViewSet):
--- a/taiga/users/permissions.py
+++ b/taiga/users/permissions.py
@ -27,7 +27,7 @@ class IsTheSameUser(PermissionComponent):
 class UserPermission(TaigaResourcePermission):
    enought_perms = IsSuperUser()
    global_perms = None
-    retrieve_perms = AllowAny()
+    retrieve_perms = IsTheSameUser()
    update_perms = IsTheSameUser()
    destroy_perms = IsTheSameUser()
    list_perms = AllowAny()