api: don't open users API to restricted API users (#53865)

2021-05-07 19:37:27 +02:00 · 2021-05-07 19:37:27 +02:00 · 8b629deef1
parent 6b73866bc2
commit 8b629deef1
3 changed files with 32 additions and 0 deletions
--- a/tests/api/test_user.py
+++ b/tests/api/test_user.py
@ -368,6 +368,26 @@ def test_user_api_with_restricted_access(pub):
    assert resp.json['err_desc'] == 'restricted API access'


+def test_users_api_with_restricted_access(pub, local_user):
+    role = pub.role_class(name='test')
+    role.store()
+
+    access = ApiAccess()
+    access.name = 'test'
+    access.access_identifier = 'test'
+    access.access_key = '12345'
+    access.roles = [role]
+    access.store()
+
+    resp = get_app(pub).get(sign_uri('/api/users/', orig='test', key='12345'), status=403)
+    assert resp.json['err'] == 1
+    assert resp.json['err_desc'] == 'restricted API access'
+
+    resp = get_app(pub).get(sign_uri('/api/users/%s/' % local_user.id, orig='test', key='12345'), status=403)
+    assert resp.json['err'] == 1
+    assert resp.json['err_desc'] == 'restricted API access'
+
+
 def test_user_forms_limit_offset(pub, local_user):
    if not pub.is_using_postgresql():
        pytest.skip('this requires SQL')
--- a/wcs/api.py
+++ b/wcs/api.py
@ -974,6 +974,10 @@ class ApiUsersDirectory(Directory):
            # allowed to submit forms (as they have a form to select an user).
            raise AccessForbiddenError('unsigned request or user has no access to backoffice')

+        api_user = get_user_from_api_query_string()
+        if api_user and api_user.is_api_user:
+            raise AccessForbiddenError('restricted API access')
+
        criterias = [st.Null('deleted_timestamp')]
        query = get_request().form.get('q')
        if query:
@ -1020,6 +1024,11 @@ class ApiUsersDirectory(Directory):
    def _q_lookup(self, component):
        if not (is_url_signed() or (get_request().user and get_request().user.can_go_in_admin())):
            raise AccessForbiddenError('unsigned request or user has no access to backoffice')
+
+        api_user = get_user_from_api_query_string()
+        if api_user and api_user.is_api_user:
+            raise AccessForbiddenError('restricted API access')
+
        user_class = get_publisher().user_class
        try:
            int(component)  # makes sure this is an id
--- a/wcs/api_access.py
+++ b/wcs/api_access.py
@ -88,6 +88,9 @@ class ApiAccess(XmlStorableObject):
            is_admin = False
            is_api_user = True

+            def can_go_in_admin(self):
+                return False
+
            def can_go_in_backoffice(self):
                return False