Check invalid IDs on roles

* Only allow number IDs to the role handlers * Catch DoesNotExist errors
2024-08-30 18:23:09 +00:00 · 2022-05-18 22:34:33 +03:00 · 2022-05-18 22:34:33 +03:00 · 2bc26ef3fd
commit 2bc26ef3fd
parent 74198ff81c
2 changed files with 17 additions and 10 deletions
--- a/app/classes/web/routes/api/api_handlers.py
+++ b/app/classes/web/routes/api/api_handlers.py
@ -120,17 +120,17 @@ def api_handlers(handler_args):
            handler_args,
        ),
        (
-            r"/api/v2/roles/([a-z0-9_]+)/?",
+            r"/api/v2/roles/([0-9]+)/?",
            ApiRolesRoleIndexHandler,
            handler_args,
        ),
        (
-            r"/api/v2/roles/([a-z0-9_]+)/servers/?",
+            r"/api/v2/roles/([0-9]+)/servers/?",
            ApiRolesRoleServersHandler,
            handler_args,
        ),
        (
-            r"/api/v2/roles/([a-z0-9_]+)/users/?",
+            r"/api/v2/roles/([0-9]+)/users/?",
            ApiRolesRoleUsersHandler,
            handler_args,
        ),
--- a/app/classes/web/routes/api/roles/role/index.py
+++ b/app/classes/web/routes/api/roles/role/index.py
@ -1,5 +1,6 @@
 from jsonschema import ValidationError, validate
 import orjson
+from peewee import DoesNotExist
 from app.classes.web.base_api_handler import BaseApiHandler

 modify_role_schema = {
@ -51,10 +52,13 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
        if not superuser:
            return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})

-        self.finish_json(
-            200,
-            {"status": "ok", "data": self.controller.roles.get_role(role_id)},
-        )
+        try:
+            self.finish_json(
+                200,
+                {"status": "ok", "data": self.controller.roles.get_role(role_id)},
+            )
+        except DoesNotExist:
+            self.finish_json(404, {"status": "error", "error": "ROLE_NOT_FOUND"})

    def delete(self, role_id: str):
        auth_data = self.authenticate_user()
@ -119,9 +123,12 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
                },
            )

-        self.controller.roles.update_role_advanced(
-            role_id, data.get("role_name", None), data.get("servers", None)
-        )
+        try:
+            self.controller.roles.update_role_advanced(
+                role_id, data.get("role_name", None), data.get("servers", None)
+            )
+        except DoesNotExist:
+            return self.finish_json(404, {"status": "error", "error": "ROLE_NOT_FOUND"})

        self.controller.management.add_to_audit_log(
            user["user_id"],