Fixed hidden attributes in auth and users

2020-10-28 12:58:34 +01:00 · 2020-10-28 12:58:34 +01:00 · a0b8dbe36a
parent 6b094bc3f8
commit a0b8dbe36a
2 changed files with 6 additions and 6 deletions
--- a/flaschengeist/modules/auth/init.py
+++ b/flaschengeist/modules/auth/init.py
@ -76,7 +76,7 @@ def _get_sessions(access_token: Session, **kwargs):
@login_required()
 def _delete_session(access_token, token, **kwargs):
    logger.debug("Try to delete access token {{ {} }}".format(token))
-    token = sessionController.get_session(token, access_token.user)
+    token = sessionController.get_session(token, access_token._user)
    if not token:
        logger.debug("Token not found in database!")
        # Return 403 error, so that users can not bruteforce tokens
@ -91,7 +91,7 @@ def _delete_session(access_token, token, **kwargs):
@login_required()
 def _get_session(token, access_token, **kwargs):
    logger.debug("get token {{ {} }}".format(token))
-    session = sessionController.get_session(token, access_token.user)
+    session = sessionController.get_session(token, access_token._user)
    if not token:
        # Return 403 error, so that users can not bruteforce tokens
        # Valid tokens from other users and invalid tokens now are looking the same
@ -103,7 +103,7 @@ def _get_session(token, access_token, **kwargs):
@login_required()
 def _get_assocd_user(token, access_token, **kwargs):
    logger.debug("get token {{ {} }}".format(token))
-    session = sessionController.get_session(token, access_token.user)
+    session = sessionController.get_session(token, access_token._user)
    if not token:
        # Return 403 error, so that users can not bruteforce tokens
        # Valid tokens from other users and invalid tokens now are looking the same
@ -114,7 +114,7 @@ def _get_assocd_user(token, access_token, **kwargs):
@auth_bp.route("/auth/<token>", methods=["PUT"])
@login_required()
 def _set_lifetime(token, access_token, **kwargs):
-    token = sessionController.get_token(token, access_token.user)
+    token = sessionController.get_token(token, access_token._user)
    if not token:
        # Return 403 error, so that users can not bruteforce tokens
        # Valid tokens from other users and invalid tokens now are looking the same
--- a/flaschengeist/modules/users/init.py
+++ b/flaschengeist/modules/users/init.py
@ -62,7 +62,7 @@ def __delete_user(uid, **kwargs):

@users_bp.route("/users/<uid>", methods=["PUT"])
@login_required()
-def __edit_user(uid, **kwargs):
+def __edit_user(uid, access_token ,**kwargs):
    logger.debug("Modify information of user {{ {} }}".format(uid))
    user = userController.get_user(uid)
    data = request.get_json()
@ -70,7 +70,7 @@ def __edit_user(uid, **kwargs):
    password = None
    new_password = data["new_password"] if "new_password" in data else None

-    if uid != kwargs["access_token"].user.userid:
+    if uid != access_token._user.userid:
        if not user.has_permission(_permission_edit):
            return Forbidden
    else: