From 81b26874c7720af08e80550a1c9218d0fc027dea Mon Sep 17 00:00:00 2001
From: Loic Baron <loic.baron@lip6.fr>
Date: Tue, 25 Nov 2014 18:34:45 +0100
Subject: [PATCH] Using execute_admin_query in actions.py to enable AccountView
 to generate new keys even without synced credentials - AccountView is SECURED
 but other views to be checked

---
 portal/accountview.py | 17 +++++++++++++----
 portal/actions.py     |  2 +-
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/portal/accountview.py b/portal/accountview.py
index 325796bc..c8c17793 100644
--- a/portal/accountview.py
+++ b/portal/accountview.py
@@ -261,10 +261,19 @@ def account_process(request):
     platform_query  = Query().get('local:platform').select('platform_id','platform')
     platform_details = execute_query(request, platform_query)
     
-    # getting the user_id from the session
-    for user_detail in user_details:
-            user_id = user_detail['user_id']
-            user_email = user_detail['email']
+    # getting the user_id from the session                                            
+    for user_detail in user_details:                                                  
+        user_id = user_detail['user_id']                                              
+        user_email = user_detail['email']                                             
+        try:
+            if user_email == request.user.email:                                          
+                authorize_query = True                                                    
+            else:                                                                         
+                print "SECURITY: %s tried to update %s" % (user_email, request.user.email)
+                messages.error(request, 'You are not authorized to modify another user.') 
+                return HttpResponseRedirect("/portal/account/")                               
+        except Exception,e:
+            print "Exception = %s" % e
 
     for account_detail in account_details:
         for platform_detail in platform_details:
diff --git a/portal/actions.py b/portal/actions.py
index 1831ea71..29597218 100644
--- a/portal/actions.py
+++ b/portal/actions.py
@@ -117,7 +117,7 @@ def sfa_update_user(request, user_hrn, user_params):
     if 'email' in user_params:
         user_params['user_email'] = user_params['email']
     query = Query.update('user').filter_by('user_hrn', '==', user_hrn).set(user_params).select('user_hrn')
-    results = execute_query(request,query)
+    results = execute_admin_query(request,query)
     return results
 
 def sfa_add_authority(request, authority_params):
-- 
2.43.0