Fixed authorization issue.
Authorization wasn't properly checked, allowing more than allowed.
This commit is contained in:
@@ -138,8 +138,7 @@ from modules.file_storage import generate_link
|
|||||||
def before_returning_item_permissions(response):
|
def before_returning_item_permissions(response):
|
||||||
# Run validation process, since GET on nodes entry point is public
|
# Run validation process, since GET on nodes entry point is public
|
||||||
validate_token()
|
validate_token()
|
||||||
if not check_permissions(response, 'GET', append_allowed_methods=True):
|
check_permissions(response, 'GET', append_allowed_methods=True)
|
||||||
return abort(403)
|
|
||||||
|
|
||||||
def before_returning_resource_permissions(response):
|
def before_returning_resource_permissions(response):
|
||||||
for item in response['_items']:
|
for item in response['_items']:
|
||||||
@@ -254,8 +253,7 @@ def project_node_type_has_method(response):
|
|||||||
if not node_type:
|
if not node_type:
|
||||||
return abort(404)
|
return abort(404)
|
||||||
# Check permissions and append the allowed_methods to the node_type
|
# Check permissions and append the allowed_methods to the node_type
|
||||||
if not check_permissions(node_type, 'GET', append_allowed_methods=True):
|
check_permissions(node_type, 'GET', append_allowed_methods=True)
|
||||||
return abort(403)
|
|
||||||
|
|
||||||
# def before_returning_notifications(response):
|
# def before_returning_notifications(response):
|
||||||
# for item in response['_items']:
|
# for item in response['_items']:
|
||||||
|
|||||||
@@ -1,20 +1,22 @@
|
|||||||
|
import logging
|
||||||
|
|
||||||
from flask import g
|
from flask import g
|
||||||
from flask import request
|
from flask import request
|
||||||
from flask import url_for
|
from flask import url_for
|
||||||
from flask import abort
|
from flask import abort
|
||||||
from application import app
|
from application import app
|
||||||
|
|
||||||
|
log = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
def check_permissions(resource, method, append_allowed_methods=False):
|
def check_permissions(resource, method, append_allowed_methods=False):
|
||||||
"""Check user permissions to access a node. We look up node permissions from
|
"""Check user permissions to access a node. We look up node permissions from
|
||||||
world to groups to users and match them with the computed user permissions.
|
world to groups to users and match them with the computed user permissions.
|
||||||
If there is not match, we return 403.
|
If there is not match, we raise 403.
|
||||||
"""
|
"""
|
||||||
if method != 'GET' and append_allowed_methods:
|
if method != 'GET' and append_allowed_methods:
|
||||||
raise ValueError("append_allowed_methods only allowed with 'GET' method")
|
raise ValueError("append_allowed_methods only allowed with 'GET' method")
|
||||||
|
|
||||||
allowed_methods = []
|
|
||||||
|
|
||||||
current_user = g.get('current_user', None)
|
current_user = g.get('current_user', None)
|
||||||
|
|
||||||
if 'permissions' in resource:
|
if 'permissions' in resource:
|
||||||
@@ -54,30 +56,34 @@ def check_permissions(resource, method, append_allowed_methods=False):
|
|||||||
elif resource_permissions and not computed_permissions:
|
elif resource_permissions and not computed_permissions:
|
||||||
computed_permissions = resource_permissions
|
computed_permissions = resource_permissions
|
||||||
|
|
||||||
|
if not computed_permissions:
|
||||||
|
log.info('No permissions available to compute for %s on resource %r',
|
||||||
|
method, resource.get('node_type', resource))
|
||||||
|
abort(403)
|
||||||
|
|
||||||
|
# Accumulate allowed methods from the user, group and world level.
|
||||||
|
allowed_methods = set()
|
||||||
|
|
||||||
if current_user:
|
if current_user:
|
||||||
# If the user is authenticated, proceed to compare the group permissions
|
# If the user is authenticated, proceed to compare the group permissions
|
||||||
for permission in computed_permissions['groups']:
|
for permission in computed_permissions['groups']:
|
||||||
if permission['group'] in current_user['groups']:
|
if permission['group'] in current_user['groups']:
|
||||||
allowed_methods += permission['methods']
|
allowed_methods.update(permission['methods'])
|
||||||
if method in permission['methods'] and not append_allowed_methods:
|
|
||||||
return
|
|
||||||
|
|
||||||
for permission in computed_permissions['users']:
|
for permission in computed_permissions['users']:
|
||||||
if current_user['user_id'] == permission['user']:
|
if current_user['user_id'] == permission['user']:
|
||||||
allowed_methods += permission['methods']
|
allowed_methods.update(permission['methods'])
|
||||||
if method in permission['methods'] and not append_allowed_methods:
|
|
||||||
return
|
|
||||||
|
|
||||||
# Check if the node is public or private. This must be set for non logged
|
# Check if the node is public or private. This must be set for non logged
|
||||||
# in users to see the content. For most BI projects this is on by default,
|
# in users to see the content. For most BI projects this is on by default,
|
||||||
# while for private project this will not be set at all.
|
# while for private project this will not be set at all.
|
||||||
if 'world' in computed_permissions:
|
if 'world' in computed_permissions:
|
||||||
allowed_methods += computed_permissions['world']
|
allowed_methods.update(computed_permissions['world'])
|
||||||
if method in computed_permissions['world'] and not append_allowed_methods:
|
|
||||||
|
permission_granted = method in allowed_methods
|
||||||
|
if permission_granted:
|
||||||
|
if append_allowed_methods:
|
||||||
|
resource['allowed_methods'] = list(set(allowed_methods))
|
||||||
return
|
return
|
||||||
|
|
||||||
if append_allowed_methods and method in allowed_methods:
|
abort(403)
|
||||||
resource['allowed_methods'] = list(set(allowed_methods))
|
|
||||||
return resource
|
|
||||||
|
|
||||||
return None
|
|
||||||
|
|||||||
Reference in New Issue
Block a user