Secure write access to /users endpoint

- Admins can PUT everything - Users can only PUT themselves - The 'auth' field is always taken from the original, and never overwritten by the PUT. It can be missing from the request, so you can GET and then PUT the same data. - Nobody can POST or DELETE users
2016-04-26 11:04:28 +02:00
parent 5c04cdbd6e
commit e600d87592
3 changed files with 129 additions and 17 deletions
--- a/pillar/settings.py
+++ b/pillar/settings.py
@@ -705,8 +705,8 @@ users = {
    'cache_control': 'max-age=10,must-revalidate',
    'cache_expires': 10,

-    'resource_methods': ['GET', 'POST'],
-
+    'resource_methods': ['GET'],
+    'item_methods': ['GET', 'PUT'],
    'public_methods': [],

    # By default don't include the 'auth' field. It can still be obtained