Merge branch 'bugfix/authentication-return' into 'dev'

Fix API authentication stack

See merge request crafty-controller/crafty-4!759
This commit is contained in:
Iain Powrie 2024-05-11 22:41:58 +00:00
commit 9f4e48deec
16 changed files with 45 additions and 16 deletions

View File

@ -1,7 +1,7 @@
# Changelog
## --- [4.4.0] - 2024/05/10
## --- [4.4.0] - 2024/05/11
### Refactor
- Refactor API keys "super user" to "full access" ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/731))
- Refactor API keys "super user" to "full access" ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/731) | [Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/759))
- Refactor SBuilder to use Big Bucket Svc ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/755))
### Bug fixes
- Reset query arguments on login if `?next` is not available ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/750))

View File

@ -26,6 +26,7 @@ class ApiAnnounceIndexHandler(BaseApiHandler):
_,
_,
_user,
_,
) = auth_data
data = self.helper.get_announcements()
@ -72,6 +73,7 @@ class ApiAnnounceIndexHandler(BaseApiHandler):
_,
_,
_user,
_,
) = auth_data
try:
data = json.loads(self.request.body)

View File

@ -14,6 +14,7 @@ class ApiCraftyLogIndexHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
if not superuser:

View File

@ -68,6 +68,7 @@ class ApiCraftyConfigIndexHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
# GET /api/v2/roles?ids=true
@ -94,13 +95,7 @@ class ApiCraftyConfigIndexHandler(BaseApiHandler):
auth_data = self.authenticate_user()
if not auth_data:
return
(
_,
_,
_,
superuser,
user,
) = auth_data
(_, _, _, superuser, user, _) = auth_data
if not superuser:
return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})
@ -150,6 +145,7 @@ class ApiCraftyCustomizeIndexHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
# GET /api/v2/roles?ids=true
@ -182,6 +178,7 @@ class ApiCraftyCustomizeIndexHandler(BaseApiHandler):
_,
superuser,
user,
_,
) = auth_data
if not superuser:
return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})

View File

@ -24,6 +24,7 @@ class ApiCraftyConfigServerDirHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
# GET /api/v2/roles?ids=true
@ -56,6 +57,7 @@ class ApiCraftyConfigServerDirHandler(BaseApiHandler):
_,
_,
_,
_,
) = auth_data
if not auth_data:

View File

@ -12,6 +12,7 @@ class ApiCraftyJarCacheIndexHandler(BaseApiHandler):
_,
_,
_,
_,
) = auth_data
if not auth_data[4]["superuser"]:

View File

@ -75,6 +75,7 @@ class ApiRolesIndexHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
# GET /api/v2/roles?ids=true
@ -107,6 +108,7 @@ class ApiRolesIndexHandler(BaseApiHandler):
_,
superuser,
user,
_,
) = auth_data
if not superuser:

View File

@ -74,6 +74,7 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
if not superuser:
@ -97,6 +98,7 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
_,
superuser,
user,
_,
) = auth_data
if not superuser:
@ -126,10 +128,19 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
_,
superuser,
user,
_,
) = auth_data
if not superuser:
return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})
role = self.controller.roles.get_role(role_id)
if not superuser and user["user_id"] != role["manager"]:
return self.finish_json(
400,
{
"status": "error",
"error": "NOT_AUTHORIZED",
"error_data": "Not Authorized",
},
)
try:
data = orjson.loads(self.request.body)

View File

@ -13,6 +13,7 @@ class ApiRolesRoleServersHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
# GET /api/v2/roles/role/servers?ids=true

View File

@ -12,6 +12,7 @@ class ApiRolesRoleUsersHandler(BaseApiHandler):
_,
superuser,
_,
_,
) = auth_data
if not superuser:

View File

@ -685,6 +685,7 @@ class ApiServersIndexHandler(BaseApiHandler):
_,
_superuser,
user,
_,
) = auth_data
if EnumPermissionsCrafty.SERVER_CREATION not in exec_user_crafty_permissions:

View File

@ -21,6 +21,7 @@ class ApiUsersIndexHandler(BaseApiHandler):
_,
_,
user,
_,
) = auth_data
# GET /api/v2/users?ids=true
@ -70,6 +71,7 @@ class ApiUsersIndexHandler(BaseApiHandler):
_,
superuser,
user,
_,
) = auth_data
if EnumPermissionsCrafty.USER_CONFIG not in exec_user_crafty_permissions:
@ -149,8 +151,9 @@ class ApiUsersIndexHandler(BaseApiHandler):
400, {"status": "error", "error": "INVALID_SUPERUSER_CREATE"}
)
if len(roles) != 0 and not superuser:
# HACK: This should check if the user has the roles or something
for role in roles:
role = self.controller.roles.get_role(role)
if int(role["manager"]) != int(auth_data[4]["user_id"]) and not superuser:
return self.finish_json(
400, {"status": "error", "error": "INVALID_ROLES_CREATE"}
)

View File

@ -113,6 +113,7 @@ class ApiUsersUserKeyHandler(BaseApiHandler):
_,
_superuser,
user,
_,
) = auth_data
try:
@ -188,6 +189,7 @@ class ApiUsersUserKeyHandler(BaseApiHandler):
_,
_,
_user,
_,
) = auth_data
if key_id:
key = self.controller.users.get_user_api_key(key_id)

View File

@ -24,6 +24,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler):
_,
_,
user,
_,
) = auth_data
if user_id in ["@me", user["user_id"]]:
@ -72,6 +73,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler):
_,
_,
user,
_,
) = auth_data
if (user_id in ["@me", user["user_id"]]) and self.helper.get_setting(
@ -121,6 +123,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler):
_,
superuser,
user,
_,
) = auth_data
try:

View File

@ -27,6 +27,7 @@ class ApiUsersUserPermissionsHandler(BaseApiHandler):
_,
_,
user,
_,
) = auth_data
if user_id in ["@me", user["user_id"]]:

View File

@ -17,6 +17,7 @@ class ApiUsersUserPublicHandler(BaseApiHandler):
_,
_,
user,
_,
) = auth_data
if user_id == "@me":