0001-api-don-t-open-users-API-to-restricted-API-users-538.patch
tests/api/test_user.py | ||
---|---|---|
368 | 368 |
assert resp.json['err_desc'] == 'restricted API access' |
369 | 369 | |
370 | 370 | |
371 |
def test_users_api_with_restricted_access(pub, local_user): |
|
372 |
role = pub.role_class(name='test') |
|
373 |
role.store() |
|
374 | ||
375 |
access = ApiAccess() |
|
376 |
access.name = 'test' |
|
377 |
access.access_identifier = 'test' |
|
378 |
access.access_key = '12345' |
|
379 |
access.roles = [role] |
|
380 |
access.store() |
|
381 | ||
382 |
resp = get_app(pub).get(sign_uri('/api/users/', orig='test', key='12345'), status=403) |
|
383 |
assert resp.json['err'] == 1 |
|
384 |
assert resp.json['err_desc'] == 'restricted API access' |
|
385 | ||
386 |
resp = get_app(pub).get(sign_uri('/api/users/%s/' % local_user.id, orig='test', key='12345'), status=403) |
|
387 |
assert resp.json['err'] == 1 |
|
388 |
assert resp.json['err_desc'] == 'restricted API access' |
|
389 | ||
390 | ||
371 | 391 |
def test_user_forms_limit_offset(pub, local_user): |
372 | 392 |
if not pub.is_using_postgresql(): |
373 | 393 |
pytest.skip('this requires SQL') |
wcs/api.py | ||
---|---|---|
974 | 974 |
# allowed to submit forms (as they have a form to select an user). |
975 | 975 |
raise AccessForbiddenError('unsigned request or user has no access to backoffice') |
976 | 976 | |
977 |
api_user = get_user_from_api_query_string() |
|
978 |
if api_user and api_user.is_api_user: |
|
979 |
raise AccessForbiddenError('restricted API access') |
|
980 | ||
977 | 981 |
criterias = [st.Null('deleted_timestamp')] |
978 | 982 |
query = get_request().form.get('q') |
979 | 983 |
if query: |
... | ... | |
1020 | 1024 |
def _q_lookup(self, component): |
1021 | 1025 |
if not (is_url_signed() or (get_request().user and get_request().user.can_go_in_admin())): |
1022 | 1026 |
raise AccessForbiddenError('unsigned request or user has no access to backoffice') |
1027 | ||
1028 |
api_user = get_user_from_api_query_string() |
|
1029 |
if api_user and api_user.is_api_user: |
|
1030 |
raise AccessForbiddenError('restricted API access') |
|
1031 | ||
1023 | 1032 |
user_class = get_publisher().user_class |
1024 | 1033 |
try: |
1025 | 1034 |
int(component) # makes sure this is an id |
wcs/api_access.py | ||
---|---|---|
88 | 88 |
is_admin = False |
89 | 89 |
is_api_user = True |
90 | 90 | |
91 |
def can_go_in_admin(self): |
|
92 |
return False |
|
93 | ||
91 | 94 |
def can_go_in_backoffice(self): |
92 | 95 |
return False |
93 | 96 | |
94 |
- |