From 259fe0f66b9c4c92eec8d350a33493b5a2d73a19 Mon Sep 17 00:00:00 2001 From: Emmanuel Viennet Date: Tue, 3 May 2022 08:55:56 +0200 Subject: [PATCH] FIX: SECURITY - disable broken API --- app/api/auth.py | 9 ++++++++- app/api/tokens.py | 3 ++- sco_version.py | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/app/api/auth.py b/app/api/auth.py index 20dd7ded8..0832e1354 100644 --- a/app/api/auth.py +++ b/app/api/auth.py @@ -30,6 +30,8 @@ from functools import wraps from flask import abort from flask import g from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth + +from app import log from app.auth.models import User from app.api.errors import error_response @@ -71,10 +73,15 @@ def token_permission_required(permission): def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): + abort(501) scodoc_dept = getattr(g, "scodoc_dept", None) - if hasattr(g, "current_user") and not g.current_user.has_permission( + if not hasattr(g, "current_user") or not g.current_user.has_permission( permission, scodoc_dept ): + if hasattr(g, "current_user"): + log(f"API permission denied (user {g.current_user})") + else: + log(f"API permission denied (no user supplied)") abort(403) return f(*args, **kwargs) diff --git a/app/api/tokens.py b/app/api/tokens.py index f36ec7b0e..32f5a8f48 100644 --- a/app/api/tokens.py +++ b/app/api/tokens.py @@ -1,5 +1,5 @@ from flask import jsonify -from app import db +from app import db, log from app.api import bp from app.api.auth import basic_auth, token_auth @@ -8,6 +8,7 @@ from app.api.auth import basic_auth, token_auth @basic_auth.login_required def get_token(): token = basic_auth.current_user().get_token() + log(f"API: giving token to {basic_auth.current_user()}") db.session.commit() return jsonify({"token": token}) diff --git a/sco_version.py b/sco_version.py index f4ef3e98c..f6933b48a 100644 --- a/sco_version.py +++ b/sco_version.py @@ -1,7 +1,7 @@ # -*- mode: python -*- # -*- coding: utf-8 -*- -SCOVERSION = "9.2.15" +SCOVERSION = "9.2.16" SCONAME = "ScoDoc"