FIX: SECURITY - disable broken API

This commit is contained in:
Emmanuel Viennet 2022-05-03 08:55:56 +02:00
parent da58e6c18c
commit 259fe0f66b
3 changed files with 11 additions and 3 deletions

View File

@ -30,6 +30,8 @@ from functools import wraps
from flask import abort
from flask import g
from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth
from app import log
from app.auth.models import User
from app.api.errors import error_response
@ -71,10 +73,15 @@ def token_permission_required(permission):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
abort(501)
scodoc_dept = getattr(g, "scodoc_dept", None)
if hasattr(g, "current_user") and not g.current_user.has_permission(
if not hasattr(g, "current_user") or not g.current_user.has_permission(
permission, scodoc_dept
):
if hasattr(g, "current_user"):
log(f"API permission denied (user {g.current_user})")
else:
log(f"API permission denied (no user supplied)")
abort(403)
return f(*args, **kwargs)

View File

@ -1,5 +1,5 @@
from flask import jsonify
from app import db
from app import db, log
from app.api import bp
from app.api.auth import basic_auth, token_auth
@ -8,6 +8,7 @@ from app.api.auth import basic_auth, token_auth
@basic_auth.login_required
def get_token():
token = basic_auth.current_user().get_token()
log(f"API: giving token to {basic_auth.current_user()}")
db.session.commit()
return jsonify({"token": token})

View File

@ -1,7 +1,7 @@
# -*- mode: python -*-
# -*- coding: utf-8 -*-
SCOVERSION = "9.2.15"
SCOVERSION = "9.2.16"
SCONAME = "ScoDoc"