Flaschengeist/flaschengeist
Flaschengeist
/
flaschengeist
7
0
Fork 0
Code Issues 20 Pull Requests Packages Projects Releases 2 Wiki Activity

[System] Fixed HTTP status when user has insufficient permission

This commit is contained in:
Ferdinand Thiessen 2020-11-13 03:57:23 +01:00
parent cbcd5b39a3
commit 2e77855fe9
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
flaschengeist/controller/sessionController.py
View File

@ -2,13 +2,13 @@ import secrets
from flaschengeist.models.session import Session from flaschengeist.models.session import Session
from flaschengeist.database import db from flaschengeist.database import db
from flaschengeist import logger from flaschengeist import logger
from werkzeug.exceptions import Forbidden from werkzeug.exceptions import Forbidden, Unauthorized
from datetime import datetime, timezone from datetime import datetime, timezone
lifetime = 1800 lifetime = 1800
def validate_token(token, user_agent, permissions): def validate_token(token, user_agent, permission):
"""Verify session """Verify session
Verify a Session and Roles so if the User has permission or not. Verify a Session and Roles so if the User has permission or not.
@ -17,9 +17,12 @@ def validate_token(token, user_agent, permissions):
Args: Args:
token: Token to verify. token: Token to verify.
user_agent: User agent of browser to check user_agent: User agent of browser to check
permissions: Permissions needed to access restricted routes permission: Permission needed to access restricted routes
Returns: Returns:
A Session for this given Token or False. A Session for this given Token
Raises:
Unauthorized: If token is invalid or expired
Forbidden: If permission is insufficient
""" """
logger.debug("check token {{ {} }} is valid".format(token)) logger.debug("check token {{ {} }} is valid".format(token))
session = Session.query.filter_by(token=token).one_or_none() session = Session.query.filter_by(token=token).one_or_none()
@ -28,15 +31,17 @@ def validate_token(token, user_agent, permissions):
if session.expires >= datetime.now(timezone.utc) and ( if session.expires >= datetime.now(timezone.utc) and (
session.browser == user_agent.browser and session.platform == user_agent.platform session.browser == user_agent.browser and session.platform == user_agent.platform
): ):
if not permissions or session._user.has_permission(permissions): if not permission or session._user.has_permission(permission):
session.refresh() session.refresh()
db.session.commit() db.session.commit()
return session return session
else:
raise Forbidden
else: else:
logger.debug("access token is out of date or invalid client used") logger.debug("access token is out of date or invalid client used")
delete_session(session) delete_session(session)
logger.debug("no valid access token with token: {{ {} }} and permissions: {{ {} }}".format(token, permissions)) logger.debug("no valid access token with token: {{ {} }} and permissions: {{ {} }}".format(token, permissions))
return False raise Unauthorized
def create(user, user_agent=None) -> Session: def create(user, user_agent=None) -> Session:

3
flaschengeist/decorator.py
View File

@ -15,9 +15,6 @@ def extract_session(permission=None):
raise Unauthorized raise Unauthorized
session = sessionController.validate_token(token, request.user_agent, permission) session = sessionController.validate_token(token, request.user_agent, permission)
if not session:
logger.debug("token {{ {} }} is invalid".format(token))
raise Unauthorized
return session return session