Possible to moderate post for a list that doesn't belong to the list
When using the REST API to moderate a held post, you can moderate it even if the list in the URI is not the list the post was submitted to.
The issue appears to be that the call to requests.get_request() doesn't check that the request belongs to the mlist that requests was initialized against.
From rest/post_moderation.py:
requests = IListRequests(self._mlist)
try:
request_id = int(self._request_id)
except ValueError:
bad_request(response)
return
results = requests.get_request(request_id, RequestType.held_message)
if results is None:
not_found(response)
else:
handle_message(self._mlist, request_id, **arguments)
no_content(response)
And from model/requests.py:
def get_request(self, store, request_id, request_type=None):
result = store.query(_Request).get(request_id)