AI security fixes

musicians/views.py

@@ -5,6 +5,7 @@ from django import forms
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.models import User
 from django.contrib.auth.views import PasswordChangeView
+from django.core.exceptions import PermissionDenied
 from django.http import HttpResponse, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse_lazy
@@ -76,6 +77,9 @@ def own_profile(request):
 def user_edit(request, username):
     musician = get_object_or_404(Musician, user__username=username)
 
+    if request.user != musician.user and not request.user.is_staff:
+        raise PermissionDenied
+
     if request.method == "POST":
         form = UserEditForm(request.POST, instance=musician)
         if form.is_valid():
@@ -93,7 +97,20 @@ class MusicianUpdate(UpdateView):
     model = Musician
     template_name = "musicians/musician_edit.html"
     success_url = "/books/"
-    fields = "__all__"
+    fields = [
+        "image",
+        "small_image",
+        "instrument",
+        "birthday",
+        "street",
+        "city",
+        "zip_code",
+        "phone_home",
+        "phone_mobile",
+        "phone_work",
+        "position",
+        "public_description",
+    ]
 
 
 def addressbook(request):
@@ -137,11 +154,11 @@ def login_view(request):
         result["err"] = ""
         if user is not None:
             if user.is_active:
-                if not request.POST.get("remember", None):
-                    # Expire in one year
+                if request.POST.get("remember", None):
+                    # "Remember me" checked: keep session for one year
                     request.session.set_expiry(timedelta(weeks=52))
                 else:
-                    # Expire on browser close
+                    # No "remember me": expire on browser close
                     request.session.set_expiry(0)
 
                 login(request, user)