0001-api-don-t-open-users-API-to-restricted-API-users-538.patch

Frédéric Péters, 07 mai 2021 19:38

Voir les différences: en ligne côte à côte

Subject: [PATCH] api: don't open users API to restricted API users (#53865)

 tests/api/test_user.py | 20 ++++++++++++++++++++
 wcs/api.py             |  9 +++++++++
 wcs/api_access.py      |  3 +++
 3 files changed, 32 insertions(+)

         assert resp.json['err_desc'] == 'restricted API access'
     def test_users_api_with_restricted_access(pub, local_user):
         role = pub.role_class(name='test')
         role.store()
         access = ApiAccess()
         access.name = 'test'
         access.access_identifier = 'test'
         access.access_key = '12345'
         access.roles = [role]
         access.store()
         resp = get_app(pub).get(sign_uri('/api/users/', orig='test', key='12345'), status=403)
         assert resp.json['err'] == 1
         assert resp.json['err_desc'] == 'restricted API access'
         resp = get_app(pub).get(sign_uri('/api/users/%s/' % local_user.id, orig='test', key='12345'), status=403)
         assert resp.json['err'] == 1
         assert resp.json['err_desc'] == 'restricted API access'
     def test_user_forms_limit_offset(pub, local_user):
         if not pub.is_using_postgresql():
             pytest.skip('this requires SQL')

                 # allowed to submit forms (as they have a form to select an user).
                 raise AccessForbiddenError('unsigned request or user has no access to backoffice')
             api_user = get_user_from_api_query_string()
             if api_user and api_user.is_api_user:
                 raise AccessForbiddenError('restricted API access')
             criterias = [st.Null('deleted_timestamp')]
             query = get_request().form.get('q')
             if query:
-...
         def _q_lookup(self, component):
             if not (is_url_signed() or (get_request().user and get_request().user.can_go_in_admin())):
                 raise AccessForbiddenError('unsigned request or user has no access to backoffice')
             api_user = get_user_from_api_query_string()
             if api_user and api_user.is_api_user:
                 raise AccessForbiddenError('restricted API access')
             user_class = get_publisher().user_class
             try:
                 int(component)  # makes sure this is an id

                 is_admin = False
                 is_api_user = True
                 def can_go_in_admin(self):
                     return False
                 def can_go_in_backoffice(self):
                     return False
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-api-don-t-open-users-API-to-restricted-API-users-538.patch