Summary
During a security review of student-management-using-django, I identified 16 authorization vulnerabilities (1 CRITICAL, 8 HIGH, 7 MEDIUM). The fundamental flaw is the module-based middleware approach: LoginCheckMiddleWare only checks view_func.__module__ against three hardcoded module names, so views in other modules bypass role enforcement entirely.
Most Critical Findings
1. CRITICAL: Students Can Edit Their Own Grades (CWE-862)
File: main_app/EditResultView.py lines 9-40
EditResultView lives in module main_app.EditResultView, which the middleware does NOT check. Any authenticated user (including Students) can POST to /staff/result/edit/ to modify any student's test and exam scores. Complete academic integrity compromise.
2. HIGH: get_attendance Accessible to Any Authenticated User (CWE-862)
File: main_app/views.py lines 71-89
In main_app.views module — not checked by middleware. Any user can enumerate attendance records for any subject/session. Also @csrf_exempt.
3-5. HIGH: Staff IDOR on Results, Attendance Save, Attendance Update (CWE-639)
Files: main_app/staff_views.py lines 265-295, 75-103, 136-153
Staff endpoints accept arbitrary subject_id, student_id, and attendance_id without verifying the subject belongs to the requesting staff member. A staff member can modify grades and attendance for subjects they don't teach.
6-8. HIGH: All HOD Actions Lack CSRF Protection (CWE-352)
Files: main_app/hod_views.py — leave approval (lines 447-494), feedback reply (lines 405-444), notification send (lines 586-637)
All use @csrf_exempt. A CSRF attack can trick an HOD into approving/rejecting leave, replying to feedback, or sending notifications.
9. HIGH: GET-Based Destructive Delete Operations (CWE-650)
File: main_app/hod_views.py lines 640-681
All delete operations (/staff/delete/<id>, /student/delete/<id>, /course/delete/<id>, /subject/delete/<id>, /session/delete/<id>) accept GET requests. An <img src="/staff/delete/1"> on any page triggers deletion.
10. HIGH: Hardcoded Firebase FCM Server Key (CWE-798)
File: main_app/hod_views.py lines 602-603
FCM server key hardcoded in source. Anyone can send push notifications to all users.
11-14. MEDIUM: Staff IDOR on Student Enumeration, Attendance View, Result Fetch (CWE-639)
Files: main_app/staff_views.py lines 53-71, 119-133, 298-312
Staff can enumerate students, view attendance, and fetch results for any subject.
15. MEDIUM: Hardcoded reCAPTCHA Secret Key (CWE-798)
File: main_app/views.py line 33
16. MEDIUM: Password Validators Disabled in Production (CWE-521)
File: student_management_system/settings.py lines 108-124
Logic inverted: if not DEBUG: AUTH_PASSWORD_VALIDATORS = []
Root Cause
The LoginCheckMiddleWare checks view_func.__module__ against three hardcoded strings: main_app.hod_views, main_app.staff_views, main_app.student_views. Any view in a different module (like main_app.views or main_app.EditResultView) bypasses all role enforcement.
Recommended Fixes
- Replace module-based middleware with per-view decorators (
@login_required + @role_required)
- Add ownership checks in all staff views: verify
subject.staff_id == staff.id
- Remove all
@csrf_exempt decorators
- Change delete operations to POST with CSRF tokens
- Move secrets to environment variables
- Fix password validator logic (swap the
not DEBUG condition)
Disclosure
Found during responsible security review. Happy to help with remediation.
Summary
During a security review of student-management-using-django, I identified 16 authorization vulnerabilities (1 CRITICAL, 8 HIGH, 7 MEDIUM). The fundamental flaw is the module-based middleware approach:
LoginCheckMiddleWareonly checksview_func.__module__against three hardcoded module names, so views in other modules bypass role enforcement entirely.Most Critical Findings
1. CRITICAL: Students Can Edit Their Own Grades (CWE-862)
File:
main_app/EditResultView.pylines 9-40EditResultViewlives in modulemain_app.EditResultView, which the middleware does NOT check. Any authenticated user (including Students) can POST to/staff/result/edit/to modify any student's test and exam scores. Complete academic integrity compromise.2. HIGH:
get_attendanceAccessible to Any Authenticated User (CWE-862)File:
main_app/views.pylines 71-89In
main_app.viewsmodule — not checked by middleware. Any user can enumerate attendance records for any subject/session. Also@csrf_exempt.3-5. HIGH: Staff IDOR on Results, Attendance Save, Attendance Update (CWE-639)
Files:
main_app/staff_views.pylines 265-295, 75-103, 136-153Staff endpoints accept arbitrary
subject_id,student_id, andattendance_idwithout verifying the subject belongs to the requesting staff member. A staff member can modify grades and attendance for subjects they don't teach.6-8. HIGH: All HOD Actions Lack CSRF Protection (CWE-352)
Files:
main_app/hod_views.py— leave approval (lines 447-494), feedback reply (lines 405-444), notification send (lines 586-637)All use
@csrf_exempt. A CSRF attack can trick an HOD into approving/rejecting leave, replying to feedback, or sending notifications.9. HIGH: GET-Based Destructive Delete Operations (CWE-650)
File:
main_app/hod_views.pylines 640-681All delete operations (
/staff/delete/<id>,/student/delete/<id>,/course/delete/<id>,/subject/delete/<id>,/session/delete/<id>) accept GET requests. An<img src="/staff/delete/1">on any page triggers deletion.10. HIGH: Hardcoded Firebase FCM Server Key (CWE-798)
File:
main_app/hod_views.pylines 602-603FCM server key hardcoded in source. Anyone can send push notifications to all users.
11-14. MEDIUM: Staff IDOR on Student Enumeration, Attendance View, Result Fetch (CWE-639)
Files:
main_app/staff_views.pylines 53-71, 119-133, 298-312Staff can enumerate students, view attendance, and fetch results for any subject.
15. MEDIUM: Hardcoded reCAPTCHA Secret Key (CWE-798)
File:
main_app/views.pyline 3316. MEDIUM: Password Validators Disabled in Production (CWE-521)
File:
student_management_system/settings.pylines 108-124Logic inverted:
if not DEBUG: AUTH_PASSWORD_VALIDATORS = []Root Cause
The
LoginCheckMiddleWarechecksview_func.__module__against three hardcoded strings:main_app.hod_views,main_app.staff_views,main_app.student_views. Any view in a different module (likemain_app.viewsormain_app.EditResultView) bypasses all role enforcement.Recommended Fixes
@login_required+@role_required)subject.staff_id == staff.id@csrf_exemptdecoratorsnot DEBUGcondition)Disclosure
Found during responsible security review. Happy to help with remediation.