From c5f67ac80d982dfe547e4259168a7d1eddb89b6b Mon Sep 17 00:00:00 2001
From: Hangzhi Yu <hangzhi@protonmail.com>
Date: Sun, 9 Jan 2022 14:12:22 +0100
Subject: [PATCH] Deny access to dashboard edit page to superusers with dummy
 person

---
 CHANGELOG.rst                          | 1 +
 aleksis/core/templates/core/index.html | 2 +-
 aleksis/core/views.py                  | 8 +++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 75c18ce6d..8af89154d 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -25,6 +25,7 @@ Fixed
 ~~~~~
 
 * Changing the favicon did not result in all icons being replaced in some cases
+* Superusers with a dummy person were able to access the dashboard edit page.
 * GroupManager.get_queryset() returned an incomplete QuerySet
 * OAuth was broken by a non-semver-adhering django-oauth-toolkit update
 * Too long texts in chips didn't result in a larger chip.
diff --git a/aleksis/core/templates/core/index.html b/aleksis/core/templates/core/index.html
index b3748afac..7c9c018ca 100644
--- a/aleksis/core/templates/core/index.html
+++ b/aleksis/core/templates/core/index.html
@@ -10,7 +10,7 @@
 
 {% block content %}
   {% has_perm "core.edit_dashboard_rule" user as can_edit_dashboard %}
-  {% if can_edit_dashboard %}
+  {% if can_edit_dashboard and show_edit_dashboard_button %}
     <div class="row no-margin">
       <a class="btn-flat waves-effect waves-light right" href="{% url "edit_dashboard" %}">
         <i class="material-icons left">edit</i>
diff --git a/aleksis/core/views.py b/aleksis/core/views.py
index 33af719a6..45167450e 100644
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -232,9 +232,11 @@ def index(request: HttpRequest) -> HttpResponse:
         context["default_dashboard"] = True
 
     media = DashboardWidget.get_media(widgets)
+    show_edit_dashboard_button = not getattr(person, "is_dummy", False)
 
     context["widgets"] = widgets
     context["media"] = media
+    context["show_edit_dashboard_button"] = show_edit_dashboard_button
 
     return render(request, "core/index.html", context)
 
@@ -993,7 +995,11 @@ class EditDashboardView(PermissionRequiredMixin, View):
         context = {}
         self.default_dashboard = kwargs.get("default", False)
 
-        if self.default_dashboard and not request.user.has_perm("core.edit_default_dashboard_rule"):
+        if (
+            self.default_dashboard
+            and not request.user.has_perm("core.edit_default_dashboard_rule")
+            or getattr(person, "is_dummy", False)
+        ):
             raise PermissionDenied()
 
         context["default_dashboard"] = self.default_dashboard
-- 
GitLab