Merge branch 'bugfix/authentication-return' into 'dev'

Fix API authentication stack See merge request crafty-controller/crafty-4!759
2024-08-30 18:23:09 +00:00 · 2024-05-11 22:41:58 +00:00 · 2024-05-11 22:41:58 +00:00 · 9f4e48deec
commit 9f4e48deec
parent 738e145375 c5e7b4a3b5
16 changed files with 45 additions and 16 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,7 +1,7 @@
 # Changelog
-## --- [4.4.0] - 2024/05/10
+## --- [4.4.0] - 2024/05/11
 ### Refactor
- Refactor API keys "super user" to "full access" ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/731))
+- Refactor API keys "super user" to "full access" ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/731) | [Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/759))
 - Refactor SBuilder to use Big Bucket Svc ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/755))
 ### Bug fixes
 - Reset query arguments on login if `?next` is not available ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/750))
--- a/app/classes/web/routes/api/crafty/announcements/index.py
+++ b/app/classes/web/routes/api/crafty/announcements/index.py
@ -26,6 +26,7 @@ class ApiAnnounceIndexHandler(BaseApiHandler):
            _,
            _,
            _user,
+            _,
        ) = auth_data

        data = self.helper.get_announcements()
@ -72,6 +73,7 @@ class ApiAnnounceIndexHandler(BaseApiHandler):
            _,
            _,
            _user,
+            _,
        ) = auth_data
        try:
            data = json.loads(self.request.body)
--- a/app/classes/web/routes/api/crafty/clogs/index.py
+++ b/app/classes/web/routes/api/crafty/clogs/index.py
@ -14,6 +14,7 @@ class ApiCraftyLogIndexHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        if not superuser:
--- a/app/classes/web/routes/api/crafty/config/index.py
+++ b/app/classes/web/routes/api/crafty/config/index.py
@ -68,6 +68,7 @@ class ApiCraftyConfigIndexHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        # GET /api/v2/roles?ids=true
@ -94,13 +95,7 @@ class ApiCraftyConfigIndexHandler(BaseApiHandler):
        auth_data = self.authenticate_user()
        if not auth_data:
            return
-        (
-            _,
-            _,
-            _,
-            superuser,
-            user,
-        ) = auth_data
+        (_, _, _, superuser, user, _) = auth_data

        if not superuser:
            return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})
@ -150,6 +145,7 @@ class ApiCraftyCustomizeIndexHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        # GET /api/v2/roles?ids=true
@ -182,6 +178,7 @@ class ApiCraftyCustomizeIndexHandler(BaseApiHandler):
            _,
            superuser,
            user,
+            _,
        ) = auth_data
        if not superuser:
            return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})
--- a/app/classes/web/routes/api/crafty/config/server_dir.py
+++ b/app/classes/web/routes/api/crafty/config/server_dir.py
@ -24,6 +24,7 @@ class ApiCraftyConfigServerDirHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        # GET /api/v2/roles?ids=true
@ -56,6 +57,7 @@ class ApiCraftyConfigServerDirHandler(BaseApiHandler):
            _,
            _,
            _,
+            _,
        ) = auth_data

        if not auth_data:
--- a/app/classes/web/routes/api/crafty/exe_cache.py
+++ b/app/classes/web/routes/api/crafty/exe_cache.py
@ -12,6 +12,7 @@ class ApiCraftyJarCacheIndexHandler(BaseApiHandler):
            _,
            _,
            _,
+            _,
        ) = auth_data

        if not auth_data[4]["superuser"]:
--- a/app/classes/web/routes/api/roles/index.py
+++ b/app/classes/web/routes/api/roles/index.py
@ -75,6 +75,7 @@ class ApiRolesIndexHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        # GET /api/v2/roles?ids=true
@ -107,6 +108,7 @@ class ApiRolesIndexHandler(BaseApiHandler):
            _,
            superuser,
            user,
+            _,
        ) = auth_data

        if not superuser:
--- a/app/classes/web/routes/api/roles/role/index.py
+++ b/app/classes/web/routes/api/roles/role/index.py
@ -74,6 +74,7 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        if not superuser:
@ -97,6 +98,7 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
            _,
            superuser,
            user,
+            _,
        ) = auth_data

        if not superuser:
@ -126,10 +128,19 @@ class ApiRolesRoleIndexHandler(BaseApiHandler):
            _,
            superuser,
            user,
+            _,
        ) = auth_data

-        if not superuser:
-            return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"})
+        role = self.controller.roles.get_role(role_id)
+        if not superuser and user["user_id"] != role["manager"]:
+            return self.finish_json(
+                400,
+                {
+                    "status": "error",
+                    "error": "NOT_AUTHORIZED",
+                    "error_data": "Not Authorized",
+                },
+            )

        try:
            data = orjson.loads(self.request.body)
--- a/app/classes/web/routes/api/roles/role/servers.py
+++ b/app/classes/web/routes/api/roles/role/servers.py
@ -13,6 +13,7 @@ class ApiRolesRoleServersHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        # GET /api/v2/roles/role/servers?ids=true
--- a/app/classes/web/routes/api/roles/role/users.py
+++ b/app/classes/web/routes/api/roles/role/users.py
@ -12,6 +12,7 @@ class ApiRolesRoleUsersHandler(BaseApiHandler):
            _,
            superuser,
            _,
+            _,
        ) = auth_data

        if not superuser:
--- a/app/classes/web/routes/api/servers/index.py
+++ b/app/classes/web/routes/api/servers/index.py
@ -685,6 +685,7 @@ class ApiServersIndexHandler(BaseApiHandler):
            _,
            _superuser,
            user,
+            _,
        ) = auth_data

        if EnumPermissionsCrafty.SERVER_CREATION not in exec_user_crafty_permissions:
--- a/app/classes/web/routes/api/users/index.py
+++ b/app/classes/web/routes/api/users/index.py
@ -21,6 +21,7 @@ class ApiUsersIndexHandler(BaseApiHandler):
            _,
            _,
            user,
+            _,
        ) = auth_data

        # GET /api/v2/users?ids=true
@ -70,6 +71,7 @@ class ApiUsersIndexHandler(BaseApiHandler):
            _,
            superuser,
            user,
+            _,
        ) = auth_data

        if EnumPermissionsCrafty.USER_CONFIG not in exec_user_crafty_permissions:
@ -149,11 +151,12 @@ class ApiUsersIndexHandler(BaseApiHandler):
                400, {"status": "error", "error": "INVALID_SUPERUSER_CREATE"}
            )

-        if len(roles) != 0 and not superuser:
-            # HACK: This should check if the user has the roles or something
-            return self.finish_json(
-                400, {"status": "error", "error": "INVALID_ROLES_CREATE"}
-            )
+        for role in roles:
+            role = self.controller.roles.get_role(role)
+            if int(role["manager"]) != int(auth_data[4]["user_id"]) and not superuser:
+                return self.finish_json(
+                    400, {"status": "error", "error": "INVALID_ROLES_CREATE"}
+                )

        # TODO: do this in the most efficient way
        user_id = self.controller.users.add_user(
--- a/app/classes/web/routes/api/users/user/api.py
+++ b/app/classes/web/routes/api/users/user/api.py
@ -113,6 +113,7 @@ class ApiUsersUserKeyHandler(BaseApiHandler):
            _,
            _superuser,
            user,
+            _,
        ) = auth_data

        try:
@ -188,6 +189,7 @@ class ApiUsersUserKeyHandler(BaseApiHandler):
            _,
            _,
            _user,
+            _,
        ) = auth_data
        if key_id:
            key = self.controller.users.get_user_api_key(key_id)
--- a/app/classes/web/routes/api/users/user/index.py
+++ b/app/classes/web/routes/api/users/user/index.py
@ -24,6 +24,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler):
            _,
            _,
            user,
+            _,
        ) = auth_data

        if user_id in ["@me", user["user_id"]]:
@ -72,6 +73,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler):
            _,
            _,
            user,
+            _,
        ) = auth_data

        if (user_id in ["@me", user["user_id"]]) and self.helper.get_setting(
@ -121,6 +123,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler):
            _,
            superuser,
            user,
+            _,
        ) = auth_data

        try:
--- a/app/classes/web/routes/api/users/user/permissions.py
+++ b/app/classes/web/routes/api/users/user/permissions.py
@ -27,6 +27,7 @@ class ApiUsersUserPermissionsHandler(BaseApiHandler):
            _,
            _,
            user,
+            _,
        ) = auth_data

        if user_id in ["@me", user["user_id"]]:
--- a/app/classes/web/routes/api/users/user/public.py
+++ b/app/classes/web/routes/api/users/user/public.py
@ -17,6 +17,7 @@ class ApiUsersUserPublicHandler(BaseApiHandler):
            _,
            _,
            user,
+            _,
        ) = auth_data

        if user_id == "@me":