Skip to content

Bug: Potential permission bypass in IsChallengeCreator for SAFE_METHODS #4949

Description

@iceybubble

While reviewing the challenge permissions, I came across a point in the IsChallengeCreator permission class that might need clarification or adjustment.

In apps/challenges/permissions.py, the has_permission method currently allows all SAFE_METHODS (GET, HEAD, OPTIONS) without performing an explicit authentication or authorization check:

if request.method in permissions.SAFE_METHODS:
    return True

As IsChallengeCreator is used in challenge-related views, this behavior may result in broader access than intended for certain GET endpoints.

Additionally, the permission logic accesses request.parser_context["kwargs"]["challenge_pk"] directly, which may raise a KeyError if the expected key is not present in the request context.

I wanted to bring this to attention and check whether this aligns with the intended access control.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions