From ea7aa93a28e6b48e79d72cde3d9b1f8a954339dc Mon Sep 17 00:00:00 2001 From: Oliver Date: Fri, 24 May 2024 23:36:00 +1000 Subject: [PATCH] Merge pull request from GHSA-2crp-q9pc-457j (#7320) * Merge pull request from GHSA-2crp-q9pc-457j * ensure API login only works if mfa is not required * add migration to log out users * add migration to clear users * Use `UV_SYSTEM_PYTHON` to allow the system Python interpreter instead of `VIRTUAL_ENV` (#7317) * Fix docs links - pin to same branch * Handle exception on migration * Make migration non-atomic --------- Co-authored-by: Matthias Mair Co-authored-by: Zanie Blue --- .github/actions/setup/action.yaml | 7 +++-- docs/docs/develop/contributing.md | 2 +- docs/docs/extend/plugins.md | 4 +-- docs/docs/extend/plugins/locate.md | 2 +- docs/docs/extend/plugins/report.md | 2 +- docs/docs/extend/plugins/schedule.md | 2 +- docs/docs/extend/plugins/urls.md | 2 +- docs/docs/extend/plugins/validation.md | 2 +- docs/docs/report/bom.md | 2 +- docs/docs/report/build.md | 2 +- docs/docs/report/helpers.md | 2 +- docs/docs/report/purchase_order.md | 2 +- docs/docs/report/return_order.md | 2 +- docs/docs/report/sales_order.md | 2 +- docs/docs/report/stock_location.md | 2 +- docs/docs/report/test.md | 2 +- docs/docs/start/config.md | 2 +- src/backend/InvenTree/users/api.py | 21 +++++++++++-- .../migrations/0011_auto_20240523_1640.py | 31 +++++++++++++++++++ 19 files changed, 71 insertions(+), 22 deletions(-) create mode 100644 src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 44ba540d33..247360816c 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -49,9 +49,10 @@ runs: shell: bash run: | python3 -m pip install -U pip - pip3 install invoke wheel uv - - name: Set the VIRTUAL_ENV variable for uv to work - run: echo "VIRTUAL_ENV=${Python_ROOT_DIR}" >> $GITHUB_ENV + pip3 install -U invoke wheel + pip3 install 'uv<0.3.0' + - name: Allow uv to use the system Python by default + run: echo "UV_SYSTEM_PYTHON=1" >> $GITHUB_ENV shell: bash - name: Install Specific Python Dependencies if: ${{ inputs.pip-dependency }} diff --git a/docs/docs/develop/contributing.md b/docs/docs/develop/contributing.md index 06df11fabb..05f5bb5362 100644 --- a/docs/docs/develop/contributing.md +++ b/docs/docs/develop/contributing.md @@ -96,7 +96,7 @@ The HEAD of the "stable" branch represents the latest stable release code. ## API versioning -The [API version](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/InvenTree/api_version.py) needs to be bumped every time when the API is changed. +The [API version](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/InvenTree/api_version.py) needs to be bumped every time when the API is changed. ## Environment diff --git a/docs/docs/extend/plugins.md b/docs/docs/extend/plugins.md index 2c298492f8..fa19023b55 100644 --- a/docs/docs/extend/plugins.md +++ b/docs/docs/extend/plugins.md @@ -28,7 +28,7 @@ Please read all release notes and watch out for warnings - we generally provide #### Plugins -General classes and mechanisms are provided under the `plugin` [namespaces](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/plugin/__init__.py). These include: +General classes and mechanisms are provided under the `plugin` [namespaces](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/plugin/__init__.py). These include: ```python # Management objects @@ -44,7 +44,7 @@ MixinNotImplementedError # Is raised if a mixin was not implemented (core mec #### Mixins -Mixins are split up internally to keep the source tree clean and enable better testing separation. All public APIs that should be used are exposed under `plugin.mixins`. These include all built-in mixins and notification methods. An up-to-date reference can be found in the source code (current master can be [found here](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/plugin/mixins/__init__.py)). +Mixins are split up internally to keep the source tree clean and enable better testing separation. All public APIs that should be used are exposed under `plugin.mixins`. These include all built-in mixins and notification methods. An up-to-date reference can be found in the source code (current master can be [found here](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/plugin/mixins/__init__.py)). #### Models and other internal InvenTree APIs diff --git a/docs/docs/extend/plugins/locate.md b/docs/docs/extend/plugins/locate.md index 956dbedd7f..661dc7f100 100644 --- a/docs/docs/extend/plugins/locate.md +++ b/docs/docs/extend/plugins/locate.md @@ -28,4 +28,4 @@ If a locate plugin is installed and activated, the [InvenTree mobile app](../../ ### Implementation -Refer to the [InvenTree source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/plugin/samples/locate/locate_sample.py) for a simple implementation example. +Refer to the [InvenTree source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/plugin/samples/locate/locate_sample.py) for a simple implementation example. diff --git a/docs/docs/extend/plugins/report.md b/docs/docs/extend/plugins/report.md index 0e2cdc671e..215c03bb65 100644 --- a/docs/docs/extend/plugins/report.md +++ b/docs/docs/extend/plugins/report.md @@ -16,7 +16,7 @@ Additionally the `add_label_context` method, allowing custom context data to be ### Example -A sample plugin which provides additional context data to the report templates can be found [in the InvenTree source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/plugin/samples/integration/report_plugin_sample.py): +A sample plugin which provides additional context data to the report templates can be found [in the InvenTree source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/plugin/samples/integration/report_plugin_sample.py): ```python """Sample plugin for extending reporting functionality""" diff --git a/docs/docs/extend/plugins/schedule.md b/docs/docs/extend/plugins/schedule.md index a72901b526..c6331ac3ca 100644 --- a/docs/docs/extend/plugins/schedule.md +++ b/docs/docs/extend/plugins/schedule.md @@ -59,4 +59,4 @@ class ScheduledTaskPlugin(ScheduleMixin, SettingsMixin, InvenTreePlugin): ``` !!! info "More Info" - For more information on any of the methods described below, refer to the InvenTree source code. [A working example is available as a starting point](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/plugin/samples/integration/scheduled_task.py). + For more information on any of the methods described below, refer to the InvenTree source code. [A working example is available as a starting point](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/plugin/samples/integration/scheduled_task.py). diff --git a/docs/docs/extend/plugins/urls.md b/docs/docs/extend/plugins/urls.md index 4931904d39..06cdf1ecf7 100644 --- a/docs/docs/extend/plugins/urls.md +++ b/docs/docs/extend/plugins/urls.md @@ -65,7 +65,7 @@ Additionally, add the following imports after the extended line. #### Blocks The page_base file is split into multiple sections called blocks. This allows you to implement sections of the webpage while getting many items like navbars, sidebars, and general layout provided for you. -The current default page base can be found [here](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/templates/page_base.html). Look through this file to determine overridable blocks. The [stock app](https://github.com/inventree/InvenTree/tree/master/src/backend/InvenTree/stock) offers a great example of implementing these blocks. +The current default page base can be found [here](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/templates/page_base.html). Look through this file to determine overridable blocks. The [stock app](https://github.com/inventree/InvenTree/tree/master/src/backend/InvenTree/stock) offers a great example of implementing these blocks. !!! warning "Sidebar Block" You may notice that implementing the `sidebar` block doesn't initially work. Be sure to enable the sidebar using JavaScript. This can be achieved by appending the following code, replacing `label` with a label of your choosing, to the end of your template file. diff --git a/docs/docs/extend/plugins/validation.md b/docs/docs/extend/plugins/validation.md index a200ab2416..f7ed067dfc 100644 --- a/docs/docs/extend/plugins/validation.md +++ b/docs/docs/extend/plugins/validation.md @@ -9,7 +9,7 @@ The `ValidationMixin` class enables plugins to perform custom validation of obje Any of the methods described below can be implemented in a custom plugin to provide functionality as required. !!! info "More Info" - For more information on any of the methods described below, refer to the InvenTree source code. [A working example is available as a starting point](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/plugin/samples/integration/validation_sample.py). + For more information on any of the methods described below, refer to the InvenTree source code. [A working example is available as a starting point](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/plugin/samples/integration/validation_sample.py). !!! info "Multi Plugin Support" It is possible to have multiple plugins loaded simultaneously which support validation methods. For example when validating a field, if one plugin returns a null value (`None`) then the *next* plugin (if available) will be queried. diff --git a/docs/docs/report/bom.md b/docs/docs/report/bom.md index c6f18a3d2f..a3f2f692c5 100644 --- a/docs/docs/report/bom.md +++ b/docs/docs/report/bom.md @@ -183,4 +183,4 @@ Finally added a `{% raw %}|floatformat:0{% endraw %}` to the quantity that remov A default *BOM Report* template is provided out of the box, which is useful for generating simple test reports. Furthermore, it may be used as a starting point for developing custom BOM reports: -View the [source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templates/report/inventree_bill_of_materials_report.html) for the default test report template. +View the [source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templates/report/inventree_bill_of_materials_report.html) for the default test report template. diff --git a/docs/docs/report/build.md b/docs/docs/report/build.md index e249fe108b..c94cc886a3 100644 --- a/docs/docs/report/build.md +++ b/docs/docs/report/build.md @@ -321,4 +321,4 @@ This will result a report page like this: A default *Build Report* template is provided out of the box, which is useful for generating simple test reports. Furthermore, it may be used as a starting point for developing custom BOM reports: -View the [source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templates/report/inventree_build_order_base.html) for the default build report template. +View the [source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templates/report/inventree_build_order_base.html) for the default build report template. diff --git a/docs/docs/report/helpers.md b/docs/docs/report/helpers.md index 605d3e50cd..759c496b7a 100644 --- a/docs/docs/report/helpers.md +++ b/docs/docs/report/helpers.md @@ -12,7 +12,7 @@ Some common functions are provided for use in custom report and label templates. ``` !!! tip "Use the Source, Luke" - To see the full range of available helper functions, refer to the source file [report.py](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templatetags/report.py) where these functions are defined! + To see the full range of available helper functions, refer to the source file [report.py](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templatetags/report.py) where these functions are defined! ## Assigning Variables diff --git a/docs/docs/report/purchase_order.md b/docs/docs/report/purchase_order.md index 045e1afa7a..8979ed90c7 100644 --- a/docs/docs/report/purchase_order.md +++ b/docs/docs/report/purchase_order.md @@ -62,4 +62,4 @@ Price: {% render_currency line.total_line_price %} A default *Purchase Order Report* template is provided out of the box, which is useful for generating simple test reports. Furthermore, it may be used as a starting point for developing custom BOM reports: -View the [source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templates/report/inventree_po_report_base.html) for the default purchase order report template. +View the [source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templates/report/inventree_po_report_base.html) for the default purchase order report template. diff --git a/docs/docs/report/return_order.md b/docs/docs/report/return_order.md index c3403c7f98..9ee784ad70 100644 --- a/docs/docs/report/return_order.md +++ b/docs/docs/report/return_order.md @@ -23,4 +23,4 @@ In addition to the default report context variables, the following context varia A default report template is provided out of the box, which can be used as a starting point for developing custom return order report templates. -View the [source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templates/report/inventree_return_order_report_base.html) for the default return order report template. +View the [source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templates/report/inventree_return_order_report_base.html) for the default return order report template. diff --git a/docs/docs/report/sales_order.md b/docs/docs/report/sales_order.md index 46e3aeddb5..c87868db00 100644 --- a/docs/docs/report/sales_order.md +++ b/docs/docs/report/sales_order.md @@ -28,4 +28,4 @@ In addition to the default report context variables, the following variables are A default *Sales Order Report* template is provided out of the box, which is useful for generating simple test reports. Furthermore, it may be used as a starting point for developing custom BOM reports: -View the [source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templates/report/inventree_so_report_base.html) for the default sales order report template. +View the [source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templates/report/inventree_so_report_base.html) for the default sales order report template. diff --git a/docs/docs/report/stock_location.md b/docs/docs/report/stock_location.md index e1712c06d9..0568cae48b 100644 --- a/docs/docs/report/stock_location.md +++ b/docs/docs/report/stock_location.md @@ -13,4 +13,4 @@ You can use all content variables from the [StockLocation](./context_variables.m A default report template is provided out of the box, which can be used as a starting point for developing custom return order report templates. -View the [source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templates/report/inventree_slr_report.html) for the default stock location report template. +View the [source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templates/report/inventree_slr_report.html) for the default stock location report template. diff --git a/docs/docs/report/test.md b/docs/docs/report/test.md index 7e6dcd67a2..49e15c2bd2 100644 --- a/docs/docs/report/test.md +++ b/docs/docs/report/test.md @@ -84,4 +84,4 @@ A default *Test Report* template is provided out of the box, which is useful for {% include "img.html" %} {% endwith %} -View the [source code](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/report/templates/report/inventree_test_report_base.html) for the default test report template. +View the [source code](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/report/templates/report/inventree_test_report_base.html) for the default test report template. diff --git a/docs/docs/start/config.md b/docs/docs/start/config.md index c9035672e1..26fe50f193 100644 --- a/docs/docs/start/config.md +++ b/docs/docs/start/config.md @@ -22,7 +22,7 @@ The InvenTree server tries to locate the `config.yaml` configuration file on sta !!! tip "Config File Location" When the InvenTree server boots, it will report the location where it expects to find the configuration file -The configuration file *template* can be found on [GitHub](https://github.com/inventree/InvenTree/blob/master/src/backend/InvenTree/config_template.yaml) +The configuration file *template* can be found on [GitHub](https://github.com/inventree/InvenTree/blob/0.15.x/src/backend/InvenTree/config_template.yaml) !!! info "Template File" The default configuration file (as defined by the template linked above) will be copied to the specified configuration file location on first run, if a configuration file is not found in that location. diff --git a/src/backend/InvenTree/users/api.py b/src/backend/InvenTree/users/api.py index 43fe8ad521..6ff708dbca 100644 --- a/src/backend/InvenTree/users/api.py +++ b/src/backend/InvenTree/users/api.py @@ -3,11 +3,12 @@ import datetime import logging -from django.contrib.auth import get_user, login +from django.contrib.auth import get_user, login, logout from django.contrib.auth.models import Group, User from django.urls import include, path, re_path from django.views.generic.base import RedirectView +from allauth.account.adapter import get_adapter from dj_rest_auth.views import LoginView, LogoutView from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_view from rest_framework import exceptions, permissions @@ -17,6 +18,7 @@ from rest_framework.response import Response from rest_framework.views import APIView import InvenTree.helpers +from common.models import InvenTreeSetting from InvenTree.filters import SEARCH_ORDER_FILTER from InvenTree.mixins import ( ListAPI, @@ -216,7 +218,22 @@ class GroupList(ListCreateAPI): class Login(LoginView): """API view for logging in via API.""" - ... + def process_login(self): + """Process the login request, ensure that MFA is enforced if required.""" + # Normal login process + ret = super().process_login() + + # Now check if MFA is enforced + user = self.request.user + adapter = get_adapter(self.request) + + # User requires 2FA or MFA is enforced globally - no logins via API + if adapter.has_2fa_enabled(user) or InvenTreeSetting.get_setting( + 'LOGIN_ENFORCE_MFA' + ): + logout(self.request) + raise exceptions.PermissionDenied('MFA required for this user') + return ret @extend_schema_view( diff --git a/src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py b/src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py new file mode 100644 index 0000000000..cdda226fe9 --- /dev/null +++ b/src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py @@ -0,0 +1,31 @@ +# Generated by Django 4.2.12 on 2024-05-23 16:40 + +from importlib import import_module + +from django.conf import settings +from django.db import migrations + + +def clear_sessions(apps, schema_editor): + """Clear all user sessions.""" + + try: + engine = import_module(settings.SESSION_ENGINE) + engine.SessionStore.clear_expired() + print('Cleared all user sessions to deal with GHSA-2crp-q9pc-457j') + except Exception: + # Database may not be ready yet, so this does not matter anyhow + pass +class Migration(migrations.Migration): + + atomic = False + + dependencies = [ + ("users", "0010_alter_apitoken_key"), + ] + + operations = [ + migrations.RunPython( + clear_sessions, reverse_code=migrations.RunPython.noop, + ) + ]