FIX: SECURITY - disable broken API
This commit is contained in:
parent
da58e6c18c
commit
259fe0f66b
@ -30,6 +30,8 @@ from functools import wraps
|
|||||||
from flask import abort
|
from flask import abort
|
||||||
from flask import g
|
from flask import g
|
||||||
from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth
|
from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth
|
||||||
|
|
||||||
|
from app import log
|
||||||
from app.auth.models import User
|
from app.auth.models import User
|
||||||
from app.api.errors import error_response
|
from app.api.errors import error_response
|
||||||
|
|
||||||
@ -71,10 +73,15 @@ def token_permission_required(permission):
|
|||||||
def decorator(f):
|
def decorator(f):
|
||||||
@wraps(f)
|
@wraps(f)
|
||||||
def decorated_function(*args, **kwargs):
|
def decorated_function(*args, **kwargs):
|
||||||
|
abort(501)
|
||||||
scodoc_dept = getattr(g, "scodoc_dept", None)
|
scodoc_dept = getattr(g, "scodoc_dept", None)
|
||||||
if hasattr(g, "current_user") and not g.current_user.has_permission(
|
if not hasattr(g, "current_user") or not g.current_user.has_permission(
|
||||||
permission, scodoc_dept
|
permission, scodoc_dept
|
||||||
):
|
):
|
||||||
|
if hasattr(g, "current_user"):
|
||||||
|
log(f"API permission denied (user {g.current_user})")
|
||||||
|
else:
|
||||||
|
log(f"API permission denied (no user supplied)")
|
||||||
abort(403)
|
abort(403)
|
||||||
return f(*args, **kwargs)
|
return f(*args, **kwargs)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
from flask import jsonify
|
from flask import jsonify
|
||||||
from app import db
|
from app import db, log
|
||||||
from app.api import bp
|
from app.api import bp
|
||||||
from app.api.auth import basic_auth, token_auth
|
from app.api.auth import basic_auth, token_auth
|
||||||
|
|
||||||
@ -8,6 +8,7 @@ from app.api.auth import basic_auth, token_auth
|
|||||||
@basic_auth.login_required
|
@basic_auth.login_required
|
||||||
def get_token():
|
def get_token():
|
||||||
token = basic_auth.current_user().get_token()
|
token = basic_auth.current_user().get_token()
|
||||||
|
log(f"API: giving token to {basic_auth.current_user()}")
|
||||||
db.session.commit()
|
db.session.commit()
|
||||||
return jsonify({"token": token})
|
return jsonify({"token": token})
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
# -*- mode: python -*-
|
# -*- mode: python -*-
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
SCOVERSION = "9.2.15"
|
SCOVERSION = "9.2.16"
|
||||||
|
|
||||||
SCONAME = "ScoDoc"
|
SCONAME = "ScoDoc"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user