diff --git a/app/api/auth.py b/app/api/auth.py index 20dd7ded8f..0832e13540 100644 --- a/app/api/auth.py +++ b/app/api/auth.py @@ -30,6 +30,8 @@ from functools import wraps from flask import abort from flask import g from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth + +from app import log from app.auth.models import User from app.api.errors import error_response @@ -71,10 +73,15 @@ def token_permission_required(permission): def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): + abort(501) scodoc_dept = getattr(g, "scodoc_dept", None) - if hasattr(g, "current_user") and not g.current_user.has_permission( + if not hasattr(g, "current_user") or not g.current_user.has_permission( permission, scodoc_dept ): + if hasattr(g, "current_user"): + log(f"API permission denied (user {g.current_user})") + else: + log(f"API permission denied (no user supplied)") abort(403) return f(*args, **kwargs) diff --git a/app/api/tokens.py b/app/api/tokens.py index f36ec7b0ee..32f5a8f48b 100644 --- a/app/api/tokens.py +++ b/app/api/tokens.py @@ -1,5 +1,5 @@ from flask import jsonify -from app import db +from app import db, log from app.api import bp from app.api.auth import basic_auth, token_auth @@ -8,6 +8,7 @@ from app.api.auth import basic_auth, token_auth @basic_auth.login_required def get_token(): token = basic_auth.current_user().get_token() + log(f"API: giving token to {basic_auth.current_user()}") db.session.commit() return jsonify({"token": token}) diff --git a/sco_version.py b/sco_version.py index f4ef3e98c7..f6933b48a2 100644 --- a/sco_version.py +++ b/sco_version.py @@ -1,7 +1,7 @@ # -*- mode: python -*- # -*- coding: utf-8 -*- -SCOVERSION = "9.2.15" +SCOVERSION = "9.2.16" SCONAME = "ScoDoc"