api: don't open users API to restricted API users (#53865)
This commit is contained in:
parent
6b73866bc2
commit
8b629deef1
|
@ -368,6 +368,26 @@ def test_user_api_with_restricted_access(pub):
|
|||
assert resp.json['err_desc'] == 'restricted API access'
|
||||
|
||||
|
||||
def test_users_api_with_restricted_access(pub, local_user):
|
||||
role = pub.role_class(name='test')
|
||||
role.store()
|
||||
|
||||
access = ApiAccess()
|
||||
access.name = 'test'
|
||||
access.access_identifier = 'test'
|
||||
access.access_key = '12345'
|
||||
access.roles = [role]
|
||||
access.store()
|
||||
|
||||
resp = get_app(pub).get(sign_uri('/api/users/', orig='test', key='12345'), status=403)
|
||||
assert resp.json['err'] == 1
|
||||
assert resp.json['err_desc'] == 'restricted API access'
|
||||
|
||||
resp = get_app(pub).get(sign_uri('/api/users/%s/' % local_user.id, orig='test', key='12345'), status=403)
|
||||
assert resp.json['err'] == 1
|
||||
assert resp.json['err_desc'] == 'restricted API access'
|
||||
|
||||
|
||||
def test_user_forms_limit_offset(pub, local_user):
|
||||
if not pub.is_using_postgresql():
|
||||
pytest.skip('this requires SQL')
|
||||
|
|
|
@ -974,6 +974,10 @@ class ApiUsersDirectory(Directory):
|
|||
# allowed to submit forms (as they have a form to select an user).
|
||||
raise AccessForbiddenError('unsigned request or user has no access to backoffice')
|
||||
|
||||
api_user = get_user_from_api_query_string()
|
||||
if api_user and api_user.is_api_user:
|
||||
raise AccessForbiddenError('restricted API access')
|
||||
|
||||
criterias = [st.Null('deleted_timestamp')]
|
||||
query = get_request().form.get('q')
|
||||
if query:
|
||||
|
@ -1020,6 +1024,11 @@ class ApiUsersDirectory(Directory):
|
|||
def _q_lookup(self, component):
|
||||
if not (is_url_signed() or (get_request().user and get_request().user.can_go_in_admin())):
|
||||
raise AccessForbiddenError('unsigned request or user has no access to backoffice')
|
||||
|
||||
api_user = get_user_from_api_query_string()
|
||||
if api_user and api_user.is_api_user:
|
||||
raise AccessForbiddenError('restricted API access')
|
||||
|
||||
user_class = get_publisher().user_class
|
||||
try:
|
||||
int(component) # makes sure this is an id
|
||||
|
|
|
@ -88,6 +88,9 @@ class ApiAccess(XmlStorableObject):
|
|||
is_admin = False
|
||||
is_api_user = True
|
||||
|
||||
def can_go_in_admin(self):
|
||||
return False
|
||||
|
||||
def can_go_in_backoffice(self):
|
||||
return False
|
||||
|
||||
|
|
Loading…
Reference in New Issue