Deletion of tags: permission is not checked in the backend #1915

ebroda · 2024-12-04T11:11:00Z

Description of the issue

Currently, there is no check in the backend if a user is admin & allowed to delete tags.

So, if you manipulate the DOM and simply add the delete button, you can delete tags even without being an admin.

https://github.com/OpenEnergyPlatform/oeplatform/blob/develop/dataedit/templates/dataedit/tag_editor.html

Ideas of solution

Add check if user is admin before executing the deletion, somewhere here:

oeplatform/dataedit/views.py

Lines 671 to 673 in 4cd7b6a

    
           elif "submit_delete" in request.POST: 
        
               id = request.POST["tag_id"] 
        
               delete_tag(id)

Context and Environment

Version used: 1.0.5
Operating system: -
Environment setup and (python) version: -

Workflow checklist

I am aware of the workflow in CONTRIBUTING.md

ebroda added the bug label Dec 4, 2024

ebroda changed the title ~~Deleting of tags is not checked in the backend~~ Deleting of tags: permission is not checked in the backend Dec 4, 2024

ebroda changed the title ~~Deleting of tags: permission is not checked in the backend~~ Deletion of tags: permission is not checked in the backend Dec 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deletion of tags: permission is not checked in the backend #1915

Deletion of tags: permission is not checked in the backend #1915

ebroda commented Dec 4, 2024 •

edited

Loading

Deletion of tags: permission is not checked in the backend #1915

Deletion of tags: permission is not checked in the backend #1915

Comments

ebroda commented Dec 4, 2024 • edited Loading

Description of the issue

Ideas of solution

Context and Environment

Workflow checklist

ebroda commented Dec 4, 2024 •

edited

Loading