From 2e77855fe9ef03ae5477c29a8def3130e61ffb1b Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Fri, 13 Nov 2020 03:57:23 +0100 Subject: [PATCH] [System] Fixed HTTP status when user has insufficient permission --- flaschengeist/controller/sessionController.py | 17 +++++++++++------ flaschengeist/decorator.py | 3 --- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/flaschengeist/controller/sessionController.py b/flaschengeist/controller/sessionController.py index 7d5e3e8..499913e 100644 --- a/flaschengeist/controller/sessionController.py +++ b/flaschengeist/controller/sessionController.py @@ -2,13 +2,13 @@ import secrets from flaschengeist.models.session import Session from flaschengeist.database import db from flaschengeist import logger -from werkzeug.exceptions import Forbidden +from werkzeug.exceptions import Forbidden, Unauthorized from datetime import datetime, timezone lifetime = 1800 -def validate_token(token, user_agent, permissions): +def validate_token(token, user_agent, permission): """Verify session Verify a Session and Roles so if the User has permission or not. @@ -17,9 +17,12 @@ def validate_token(token, user_agent, permissions): Args: token: Token to verify. user_agent: User agent of browser to check - permissions: Permissions needed to access restricted routes + permission: Permission needed to access restricted routes Returns: - A Session for this given Token or False. + A Session for this given Token + Raises: + Unauthorized: If token is invalid or expired + Forbidden: If permission is insufficient """ logger.debug("check token {{ {} }} is valid".format(token)) session = Session.query.filter_by(token=token).one_or_none() @@ -28,15 +31,17 @@ def validate_token(token, user_agent, permissions): if session.expires >= datetime.now(timezone.utc) and ( session.browser == user_agent.browser and session.platform == user_agent.platform ): - if not permissions or session._user.has_permission(permissions): + if not permission or session._user.has_permission(permission): session.refresh() db.session.commit() return session + else: + raise Forbidden else: logger.debug("access token is out of date or invalid client used") delete_session(session) logger.debug("no valid access token with token: {{ {} }} and permissions: {{ {} }}".format(token, permissions)) - return False + raise Unauthorized def create(user, user_agent=None) -> Session: diff --git a/flaschengeist/decorator.py b/flaschengeist/decorator.py index e29fb4a..18ded1a 100644 --- a/flaschengeist/decorator.py +++ b/flaschengeist/decorator.py @@ -15,9 +15,6 @@ def extract_session(permission=None): raise Unauthorized session = sessionController.validate_token(token, request.user_agent, permission) - if not session: - logger.debug("token {{ {} }} is invalid".format(token)) - raise Unauthorized return session