[System] Fixed HTTP status when user has insufficient permission

2020-11-13 03:57:23 +01:00 · 2020-11-13 03:57:23 +01:00 · 2e77855fe9
parent cbcd5b39a3
commit 2e77855fe9
2 changed files with 11 additions and 9 deletions
--- a/flaschengeist/controller/sessionController.py
+++ b/flaschengeist/controller/sessionController.py
@ -2,13 +2,13 @@ import secrets
 from flaschengeist.models.session import Session
 from flaschengeist.database import db
 from flaschengeist import logger
-from werkzeug.exceptions import Forbidden
+from werkzeug.exceptions import Forbidden, Unauthorized
 from datetime import datetime, timezone

 lifetime = 1800


-def validate_token(token, user_agent, permissions):
+def validate_token(token, user_agent, permission):
    """Verify session

    Verify a Session and Roles so if the User has permission or not.
@ -17,9 +17,12 @@ def validate_token(token, user_agent, permissions):
    Args:
        token: Token to verify.
        user_agent: User agent of browser to check
-        permissions: Permissions needed to access restricted routes
+        permission: Permission needed to access restricted routes
    Returns:
-        A Session for this given Token or False.
+        A Session for this given Token
+    Raises:
+        Unauthorized: If token is invalid or expired
+        Forbidden: If permission is insufficient
    """
    logger.debug("check token {{ {} }} is valid".format(token))
    session = Session.query.filter_by(token=token).one_or_none()
@ -28,15 +31,17 @@ def validate_token(token, user_agent, permissions):
        if session.expires >= datetime.now(timezone.utc) and (
            session.browser == user_agent.browser and session.platform == user_agent.platform
        ):
-            if not permissions or session._user.has_permission(permissions):
+            if not permission or session._user.has_permission(permission):
                session.refresh()
                db.session.commit()
                return session
+            else:
+                raise Forbidden
        else:
            logger.debug("access token is out of date or invalid client used")
            delete_session(session)
    logger.debug("no valid access token with token: {{ {} }} and permissions: {{ {} }}".format(token, permissions))
-    return False
+    raise Unauthorized


 def create(user, user_agent=None) -> Session:
--- a/flaschengeist/decorator.py
+++ b/flaschengeist/decorator.py
@ -15,9 +15,6 @@ def extract_session(permission=None):
        raise Unauthorized

    session = sessionController.validate_token(token, request.user_agent, permission)
-    if not session:
-        logger.debug("token {{ {} }} is invalid".format(token))
-        raise Unauthorized
    return session