NussNougate/crafty-4
2
0
Fork 0
mirror of https://gitlab.com/crafty-controller/crafty-4.git synced 2025-01-19 09:45:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'critical/API-token-auth-issues' into 'dev'

Browse Source 
API Token authentication hardening

See merge request crafty-controller/crafty-4!366
This commit is contained in:
Andrew 2022-06-18 22:07:22 +00:00
commit b9ad296367
2 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -7,7 +7,7 @@ None
### Bug fixes ### Bug fixes
- Amend Java system variable fix to be more specfic since they only affect Oracle. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364)) - Amend Java system variable fix to be more specfic since they only affect Oracle. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364))
- API Token authentication hardening ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364))
### Tweaks ### Tweaks
- Add better error logging for statistic collection ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/359)) - Add better error logging for statistic collection ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/359))

30
app/classes/web/panel_handler.py
View File

@ -1058,6 +1058,11 @@ class PanelHandler(BaseHandler):
if user_id is None: if user_id is None:
self.redirect("/panel/error?error=Invalid User ID") self.redirect("/panel/error?error=Invalid User ID")
return return
if int(user_id) != exec_user["user_id"] and not exec_user["superuser"]:
self.redirect(
"/panel/error?error=You are not authorized to view this page."
)
return
template = "panel/panel_edit_user_apikeys.html" template = "panel/panel_edit_user_apikeys.html"
@ -1893,6 +1898,13 @@ class PanelHandler(BaseHandler):
self.redirect("/panel/error?error=Invalid User ID") self.redirect("/panel/error?error=Invalid User ID")
return return
if str(user_id) != str(exec_user["user_id"]) and not exec_user["superuser"]:
self.redirect(
"/panel/error?error=You do not have access to change"
+ "this user's api key."
)
return
crafty_permissions_mask = self.get_perms() crafty_permissions_mask = self.get_perms()
server_permissions_mask = self.get_perms_server() server_permissions_mask = self.get_perms_server()
@ -1926,6 +1938,12 @@ class PanelHandler(BaseHandler):
self.redirect("/panel/error?error=Invalid Key ID") self.redirect("/panel/error?error=Invalid Key ID")
return return
if key.user_id != exec_user["user_id"]:
self.redirect(
"/panel/error?error=You are not authorized to access this key."
)
return
self.controller.management.add_to_audit_log( self.controller.management.add_to_audit_log(
exec_user["user_id"], exec_user["user_id"],
f"Generated a new API token for the key {key.name} " f"Generated a new API token for the key {key.name} "
@ -2142,6 +2160,15 @@ class PanelHandler(BaseHandler):
self.redirect("/panel/error?error=Invalid Key ID") self.redirect("/panel/error?error=Invalid Key ID")
return return
key_obj = self.controller.users.get_user_api_key(key_id)
if key_obj.user_id != exec_user["user_id"] and not exec_user["superuser"]:
self.redirect(
"/panel/error?error=You do not have access to change"
+ "this user's api key."
)
return
self.controller.users.delete_user_api_key(key_id) self.controller.users.delete_user_api_key(key_id)
self.controller.management.add_to_audit_log( self.controller.management.add_to_audit_log(
@ -2151,7 +2178,8 @@ class PanelHandler(BaseHandler):
server_id=0, server_id=0,
source_ip=self.get_remote_ip(), source_ip=self.get_remote_ip(),
) )
self.redirect("/panel/panel_config") self.finish()
self.redirect(f"/panel/edit_user_apikeys?id={key_obj.user_id}")
else: else:
self.set_status(404) self.set_status(404)
self.render( self.render(