Skip to content

Commit

Permalink
job_seekers_views: add a tunnel key to the session
Browse files Browse the repository at this point in the history
When initializing the job_seeker_session, we set a `tunnel` key to
determine which action will be performed in the job_seekers_views block
with that session (here, `job-seeker-update`).

This is to prevent a (malicious) user from playing with session, and
using a session that was not intended for updating a job seeker to do
so.
  • Loading branch information
EwenKorr committed Jan 7, 2025
1 parent b4b54b9 commit 1ccbb61
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 2 deletions.
7 changes: 6 additions & 1 deletion itou/www/job_seekers_views/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -785,7 +785,7 @@ def setup(self, request, *args, **kwargs):
self.job_seeker_session = SessionNamespace.create_uuid_namespace(
request.session,
data={
"config": {"from_url": from_url},
"config": {"from_url": from_url, "tunnel": "job-seeker-update"},
"job_seeker_pk": job_seeker.pk,
"apply": {"company_pk": company.pk},
},
Expand All @@ -809,6 +809,11 @@ def get_job_seeker_queryset(self):

def setup(self, request, *args, **kwargs):
super().setup(request, *args, **kwargs)

# Check that the session was initialized to update a job seeker.
if self.job_seeker_session.get("config").get("tunnel") != "job-seeker-update":
raise Http404

self.job_seeker = get_object_or_404(
self.get_job_seeker_queryset(), pk=self.job_seeker_session.get("job_seeker_pk")
)
Expand Down
2 changes: 1 addition & 1 deletion tests/www/apply/test_submit.py
Original file line number Diff line number Diff line change
Expand Up @@ -3481,7 +3481,7 @@ def setup_method(self, settings, mocker):
)
self.config = {
"apply": {"company_pk": self.company.pk},
"config": {"from_url": from_url},
"config": {"from_url": from_url, "tunnel": "job-seeker-update"},
"job_seeker_pk": self.job_seeker.pk,
}
self.step_1_url = reverse(
Expand Down
26 changes: 26 additions & 0 deletions tests/www/job_seekers_views/test_create_or_update.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,10 @@

from itou.asp.models import Commune, Country
from itou.users.enums import Title
from itou.utils.session import SessionNamespace
from itou.utils.urls import add_url_params
from tests.companies.factories import CompanyFactory
from tests.prescribers.factories import PrescriberOrganizationWithMembershipFactory
from tests.users.factories import JobSeekerFactory
from tests.utils.test import KNOWN_SESSION_KEYS

Expand Down Expand Up @@ -190,6 +192,30 @@ def test_birth_country_france_and_no_birthplace(self, client):
)


class TestUpdateJobSeeker:
def test_update_with_wrong_tunnel_in_session(self, client):
job_seeker = JobSeekerFactory()
company = CompanyFactory(with_membership=True)
prescriber = PrescriberOrganizationWithMembershipFactory(authorized=True).members.first()
client.force_login(prescriber)

# Create a session with a wrong tunnel key
job_seeker_session = SessionNamespace.create_uuid_namespace(
client.session,
data={
"config": {"from_url": reverse("dashboard:index"), "tunnel": "job-seeker-create"},
"job_seeker_pk": job_seeker.pk,
"apply": {"company_pk": company.pk},
},
)
job_seeker_session.save()

url = reverse("job_seekers_views:update_job_seeker_step_1", kwargs={"session_uuid": job_seeker_session.name})
response = client.get(url)

assert response.status_code == 404


class TestUpdateJobSeekerStart:
def test_update_start_with_valid_parameters(self, client):
job_seeker = JobSeekerFactory()
Expand Down

0 comments on commit 1ccbb61

Please sign in to comment.