Serializer: PUT nested object without permission fails quietly (and reveals database content)
The following unit test passes:
# I am attempting to update a resource which I should not know exists
parent = LDPDummy.objects.create(some='parent')
dummy = PermissionlessDummy.objects.create(some='some', slug='slug')
data = {
'anons': [
{'@id': '{}/permissionless-dummys/{}/'.format(settings.SITE_URL, dummy.slug), 'slug': dummy.slug}
]
}
response = self.client.patch('/ldpdummys/{}/'.format(parent.pk), data=json.dumps(data), content_type='application/ld+json')
self.assertEqual(response.status_code, 200)
self.assertEqual(len(response.data['anons']['ldp:contains']), 0)
parent = LDPDummy.objects.get(pk=parent.pk)
self.assertEqual(parent.anons.count(), 0)
The serializer rejects my permission to update the nested resource correctly. It is not failing totally silently, because it does not pretend to have created the resource in the response. It should possibly be failing more loudly, returning a 403 or 400
If I have the model permission add
, then I can deduce from this request that the permissionless-dummy
which I attempted to change exists, which is a minor security vulnerability as I do not have permission to know that this exists