Merge branch 'critical/API-token-auth-issues' into 'dev'

API Token authentication hardening

See merge request crafty-controller/crafty-4!366

CHANGELOG.md

@@ -7,7 +7,7 @@ None
 
 ### Bug fixes
 - Amend Java system variable fix to be more specfic since they only affect Oracle. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364))
-
+- API Token authentication hardening ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364))
 ### Tweaks
 - Add better error logging for statistic collection ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/359))
 

app/classes/web/panel_handler.py

@@ -1058,6 +1058,11 @@ class PanelHandler(BaseHandler):
             if user_id is None:
                 self.redirect("/panel/error?error=Invalid User ID")
                 return
+            if int(user_id) != exec_user["user_id"] and not exec_user["superuser"]:
+                self.redirect(
+                    "/panel/error?error=You are not authorized to view this page."
+                )
+                return
 
             template = "panel/panel_edit_user_apikeys.html"
 
@@ -1893,6 +1898,13 @@ class PanelHandler(BaseHandler):
                 self.redirect("/panel/error?error=Invalid User ID")
                 return
 
+            if str(user_id) != str(exec_user["user_id"]) and not exec_user["superuser"]:
+                self.redirect(
+                    "/panel/error?error=You do not have access to change"
+                    + "this user's api key."
+                )
+                return
+
             crafty_permissions_mask = self.get_perms()
             server_permissions_mask = self.get_perms_server()
 
@@ -1926,6 +1938,12 @@ class PanelHandler(BaseHandler):
                 self.redirect("/panel/error?error=Invalid Key ID")
                 return
 
+            if key.user_id != exec_user["user_id"]:
+                self.redirect(
+                    "/panel/error?error=You are not authorized to access this key."
+                )
+                return
+
             self.controller.management.add_to_audit_log(
                 exec_user["user_id"],
                 f"Generated a new API token for the key {key.name} "
@@ -2142,6 +2160,15 @@ class PanelHandler(BaseHandler):
                 self.redirect("/panel/error?error=Invalid Key ID")
                 return
 
+            key_obj = self.controller.users.get_user_api_key(key_id)
+
+            if key_obj.user_id != exec_user["user_id"] and not exec_user["superuser"]:
+                self.redirect(
+                    "/panel/error?error=You do not have access to change"
+                    + "this user's api key."
+                )
+                return
+
             self.controller.users.delete_user_api_key(key_id)
 
             self.controller.management.add_to_audit_log(
@@ -2151,7 +2178,8 @@ class PanelHandler(BaseHandler):
                 server_id=0,
                 source_ip=self.get_remote_ip(),
             )
-            self.redirect("/panel/panel_config")
+            self.finish()
+            self.redirect(f"/panel/edit_user_apikeys?id={key_obj.user_id}")
         else:
             self.set_status(404)
             self.render(