FIX: SECURITY - disable broken API
This commit is contained in:
parent
da58e6c18c
commit
259fe0f66b
@ -30,6 +30,8 @@ from functools import wraps
|
||||
from flask import abort
|
||||
from flask import g
|
||||
from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth
|
||||
|
||||
from app import log
|
||||
from app.auth.models import User
|
||||
from app.api.errors import error_response
|
||||
|
||||
@ -71,10 +73,15 @@ def token_permission_required(permission):
|
||||
def decorator(f):
|
||||
@wraps(f)
|
||||
def decorated_function(*args, **kwargs):
|
||||
abort(501)
|
||||
scodoc_dept = getattr(g, "scodoc_dept", None)
|
||||
if hasattr(g, "current_user") and not g.current_user.has_permission(
|
||||
if not hasattr(g, "current_user") or not g.current_user.has_permission(
|
||||
permission, scodoc_dept
|
||||
):
|
||||
if hasattr(g, "current_user"):
|
||||
log(f"API permission denied (user {g.current_user})")
|
||||
else:
|
||||
log(f"API permission denied (no user supplied)")
|
||||
abort(403)
|
||||
return f(*args, **kwargs)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
from flask import jsonify
|
||||
from app import db
|
||||
from app import db, log
|
||||
from app.api import bp
|
||||
from app.api.auth import basic_auth, token_auth
|
||||
|
||||
@ -8,6 +8,7 @@ from app.api.auth import basic_auth, token_auth
|
||||
@basic_auth.login_required
|
||||
def get_token():
|
||||
token = basic_auth.current_user().get_token()
|
||||
log(f"API: giving token to {basic_auth.current_user()}")
|
||||
db.session.commit()
|
||||
return jsonify({"token": token})
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
# -*- mode: python -*-
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
SCOVERSION = "9.2.15"
|
||||
SCOVERSION = "9.2.16"
|
||||
|
||||
SCONAME = "ScoDoc"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user