diff --git a/CHANGELOG.md b/CHANGELOG.md index bb133fa2..c7ed7771 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ # Changelog -## --- [4.4.0] - 2024/05/10 +## --- [4.4.0] - 2024/05/11 ### Refactor -- Refactor API keys "super user" to "full access" ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/731)) +- Refactor API keys "super user" to "full access" ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/731) | [Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/759)) - Refactor SBuilder to use Big Bucket Svc ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/755)) ### Bug fixes - Reset query arguments on login if `?next` is not available ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/750)) diff --git a/app/classes/web/routes/api/crafty/announcements/index.py b/app/classes/web/routes/api/crafty/announcements/index.py index 75f00f16..d66c4473 100644 --- a/app/classes/web/routes/api/crafty/announcements/index.py +++ b/app/classes/web/routes/api/crafty/announcements/index.py @@ -26,6 +26,7 @@ class ApiAnnounceIndexHandler(BaseApiHandler): _, _, _user, + _, ) = auth_data data = self.helper.get_announcements() @@ -72,6 +73,7 @@ class ApiAnnounceIndexHandler(BaseApiHandler): _, _, _user, + _, ) = auth_data try: data = json.loads(self.request.body) diff --git a/app/classes/web/routes/api/crafty/clogs/index.py b/app/classes/web/routes/api/crafty/clogs/index.py index f42d7e2c..35f48a7f 100644 --- a/app/classes/web/routes/api/crafty/clogs/index.py +++ b/app/classes/web/routes/api/crafty/clogs/index.py @@ -14,6 +14,7 @@ class ApiCraftyLogIndexHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data if not superuser: diff --git a/app/classes/web/routes/api/crafty/config/index.py b/app/classes/web/routes/api/crafty/config/index.py index 0c2f196c..d625d339 100644 --- a/app/classes/web/routes/api/crafty/config/index.py +++ b/app/classes/web/routes/api/crafty/config/index.py @@ -68,6 +68,7 @@ class ApiCraftyConfigIndexHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data # GET /api/v2/roles?ids=true @@ -94,13 +95,7 @@ class ApiCraftyConfigIndexHandler(BaseApiHandler): auth_data = self.authenticate_user() if not auth_data: return - ( - _, - _, - _, - superuser, - user, - ) = auth_data + (_, _, _, superuser, user, _) = auth_data if not superuser: return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"}) @@ -150,6 +145,7 @@ class ApiCraftyCustomizeIndexHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data # GET /api/v2/roles?ids=true @@ -182,6 +178,7 @@ class ApiCraftyCustomizeIndexHandler(BaseApiHandler): _, superuser, user, + _, ) = auth_data if not superuser: return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"}) diff --git a/app/classes/web/routes/api/crafty/config/server_dir.py b/app/classes/web/routes/api/crafty/config/server_dir.py index 07cf7c26..bc88cba9 100644 --- a/app/classes/web/routes/api/crafty/config/server_dir.py +++ b/app/classes/web/routes/api/crafty/config/server_dir.py @@ -24,6 +24,7 @@ class ApiCraftyConfigServerDirHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data # GET /api/v2/roles?ids=true @@ -56,6 +57,7 @@ class ApiCraftyConfigServerDirHandler(BaseApiHandler): _, _, _, + _, ) = auth_data if not auth_data: diff --git a/app/classes/web/routes/api/crafty/exe_cache.py b/app/classes/web/routes/api/crafty/exe_cache.py index 93162279..7fa9743a 100644 --- a/app/classes/web/routes/api/crafty/exe_cache.py +++ b/app/classes/web/routes/api/crafty/exe_cache.py @@ -12,6 +12,7 @@ class ApiCraftyJarCacheIndexHandler(BaseApiHandler): _, _, _, + _, ) = auth_data if not auth_data[4]["superuser"]: diff --git a/app/classes/web/routes/api/roles/index.py b/app/classes/web/routes/api/roles/index.py index 0f656dbb..a8612c75 100644 --- a/app/classes/web/routes/api/roles/index.py +++ b/app/classes/web/routes/api/roles/index.py @@ -75,6 +75,7 @@ class ApiRolesIndexHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data # GET /api/v2/roles?ids=true @@ -107,6 +108,7 @@ class ApiRolesIndexHandler(BaseApiHandler): _, superuser, user, + _, ) = auth_data if not superuser: diff --git a/app/classes/web/routes/api/roles/role/index.py b/app/classes/web/routes/api/roles/role/index.py index 97362f5b..73fd9ff3 100644 --- a/app/classes/web/routes/api/roles/role/index.py +++ b/app/classes/web/routes/api/roles/role/index.py @@ -74,6 +74,7 @@ class ApiRolesRoleIndexHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data if not superuser: @@ -97,6 +98,7 @@ class ApiRolesRoleIndexHandler(BaseApiHandler): _, superuser, user, + _, ) = auth_data if not superuser: @@ -126,10 +128,19 @@ class ApiRolesRoleIndexHandler(BaseApiHandler): _, superuser, user, + _, ) = auth_data - if not superuser: - return self.finish_json(400, {"status": "error", "error": "NOT_AUTHORIZED"}) + role = self.controller.roles.get_role(role_id) + if not superuser and user["user_id"] != role["manager"]: + return self.finish_json( + 400, + { + "status": "error", + "error": "NOT_AUTHORIZED", + "error_data": "Not Authorized", + }, + ) try: data = orjson.loads(self.request.body) diff --git a/app/classes/web/routes/api/roles/role/servers.py b/app/classes/web/routes/api/roles/role/servers.py index 0a0eff6f..8f41f6c6 100644 --- a/app/classes/web/routes/api/roles/role/servers.py +++ b/app/classes/web/routes/api/roles/role/servers.py @@ -13,6 +13,7 @@ class ApiRolesRoleServersHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data # GET /api/v2/roles/role/servers?ids=true diff --git a/app/classes/web/routes/api/roles/role/users.py b/app/classes/web/routes/api/roles/role/users.py index ac2227ac..48444ead 100644 --- a/app/classes/web/routes/api/roles/role/users.py +++ b/app/classes/web/routes/api/roles/role/users.py @@ -12,6 +12,7 @@ class ApiRolesRoleUsersHandler(BaseApiHandler): _, superuser, _, + _, ) = auth_data if not superuser: diff --git a/app/classes/web/routes/api/servers/index.py b/app/classes/web/routes/api/servers/index.py index ea632c68..43cf01e2 100644 --- a/app/classes/web/routes/api/servers/index.py +++ b/app/classes/web/routes/api/servers/index.py @@ -685,6 +685,7 @@ class ApiServersIndexHandler(BaseApiHandler): _, _superuser, user, + _, ) = auth_data if EnumPermissionsCrafty.SERVER_CREATION not in exec_user_crafty_permissions: diff --git a/app/classes/web/routes/api/users/index.py b/app/classes/web/routes/api/users/index.py index fef154a0..dbdb1ac0 100644 --- a/app/classes/web/routes/api/users/index.py +++ b/app/classes/web/routes/api/users/index.py @@ -21,6 +21,7 @@ class ApiUsersIndexHandler(BaseApiHandler): _, _, user, + _, ) = auth_data # GET /api/v2/users?ids=true @@ -70,6 +71,7 @@ class ApiUsersIndexHandler(BaseApiHandler): _, superuser, user, + _, ) = auth_data if EnumPermissionsCrafty.USER_CONFIG not in exec_user_crafty_permissions: @@ -149,11 +151,12 @@ class ApiUsersIndexHandler(BaseApiHandler): 400, {"status": "error", "error": "INVALID_SUPERUSER_CREATE"} ) - if len(roles) != 0 and not superuser: - # HACK: This should check if the user has the roles or something - return self.finish_json( - 400, {"status": "error", "error": "INVALID_ROLES_CREATE"} - ) + for role in roles: + role = self.controller.roles.get_role(role) + if int(role["manager"]) != int(auth_data[4]["user_id"]) and not superuser: + return self.finish_json( + 400, {"status": "error", "error": "INVALID_ROLES_CREATE"} + ) # TODO: do this in the most efficient way user_id = self.controller.users.add_user( diff --git a/app/classes/web/routes/api/users/user/api.py b/app/classes/web/routes/api/users/user/api.py index 2abb8463..3891ef83 100644 --- a/app/classes/web/routes/api/users/user/api.py +++ b/app/classes/web/routes/api/users/user/api.py @@ -113,6 +113,7 @@ class ApiUsersUserKeyHandler(BaseApiHandler): _, _superuser, user, + _, ) = auth_data try: @@ -188,6 +189,7 @@ class ApiUsersUserKeyHandler(BaseApiHandler): _, _, _user, + _, ) = auth_data if key_id: key = self.controller.users.get_user_api_key(key_id) diff --git a/app/classes/web/routes/api/users/user/index.py b/app/classes/web/routes/api/users/user/index.py index 6efee93e..9fa46200 100644 --- a/app/classes/web/routes/api/users/user/index.py +++ b/app/classes/web/routes/api/users/user/index.py @@ -24,6 +24,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler): _, _, user, + _, ) = auth_data if user_id in ["@me", user["user_id"]]: @@ -72,6 +73,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler): _, _, user, + _, ) = auth_data if (user_id in ["@me", user["user_id"]]) and self.helper.get_setting( @@ -121,6 +123,7 @@ class ApiUsersUserIndexHandler(BaseApiHandler): _, superuser, user, + _, ) = auth_data try: diff --git a/app/classes/web/routes/api/users/user/permissions.py b/app/classes/web/routes/api/users/user/permissions.py index 5981eaf4..d0f496f2 100644 --- a/app/classes/web/routes/api/users/user/permissions.py +++ b/app/classes/web/routes/api/users/user/permissions.py @@ -27,6 +27,7 @@ class ApiUsersUserPermissionsHandler(BaseApiHandler): _, _, user, + _, ) = auth_data if user_id in ["@me", user["user_id"]]: diff --git a/app/classes/web/routes/api/users/user/public.py b/app/classes/web/routes/api/users/user/public.py index b67ab61e..e016babc 100644 --- a/app/classes/web/routes/api/users/user/public.py +++ b/app/classes/web/routes/api/users/user/public.py @@ -17,6 +17,7 @@ class ApiUsersUserPublicHandler(BaseApiHandler): _, _, user, + _, ) = auth_data if user_id == "@me":