Fix unpriviledged users being able to access bulk process

Any user was able to access and view the bulk process page for organization management. This fix checks access and returns unauthorized exception if theuser shouldn't be there.
rsanfer · Aug 27, 2021 · f7b94d0 · f7b94d0
1 parent c9e0911
commit f7b94d0
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/ckan/views/group.py b/ckan/views/group.py
@@ -856,6 +856,9 @@ def get(self, id, group_type, is_organization):
         try:
             group_dict = _action(u'group_show')(context, data_dict)
             group = context['group']
+            check_access(u'group_update', context)
+        except NotAuthorized:
+            base.abort(403, _(u'Unauthorized to access'))
         except NotFound:
             base.abort(404, _(u'Group not found'))