From a0b8dbe36a3af0489b0983b16e1e3004404b4dc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Gr=C3=B6ger?= Date: Wed, 28 Oct 2020 12:58:34 +0100 Subject: [PATCH] Fixed hidden attributes in auth and users --- flaschengeist/modules/auth/__init__.py | 8 ++++---- flaschengeist/modules/users/__init__.py | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/flaschengeist/modules/auth/__init__.py b/flaschengeist/modules/auth/__init__.py index 594bb01..1c3f036 100644 --- a/flaschengeist/modules/auth/__init__.py +++ b/flaschengeist/modules/auth/__init__.py @@ -76,7 +76,7 @@ def _get_sessions(access_token: Session, **kwargs): @login_required() def _delete_session(access_token, token, **kwargs): logger.debug("Try to delete access token {{ {} }}".format(token)) - token = sessionController.get_session(token, access_token.user) + token = sessionController.get_session(token, access_token._user) if not token: logger.debug("Token not found in database!") # Return 403 error, so that users can not bruteforce tokens @@ -91,7 +91,7 @@ def _delete_session(access_token, token, **kwargs): @login_required() def _get_session(token, access_token, **kwargs): logger.debug("get token {{ {} }}".format(token)) - session = sessionController.get_session(token, access_token.user) + session = sessionController.get_session(token, access_token._user) if not token: # Return 403 error, so that users can not bruteforce tokens # Valid tokens from other users and invalid tokens now are looking the same @@ -103,7 +103,7 @@ def _get_session(token, access_token, **kwargs): @login_required() def _get_assocd_user(token, access_token, **kwargs): logger.debug("get token {{ {} }}".format(token)) - session = sessionController.get_session(token, access_token.user) + session = sessionController.get_session(token, access_token._user) if not token: # Return 403 error, so that users can not bruteforce tokens # Valid tokens from other users and invalid tokens now are looking the same @@ -114,7 +114,7 @@ def _get_assocd_user(token, access_token, **kwargs): @auth_bp.route("/auth/", methods=["PUT"]) @login_required() def _set_lifetime(token, access_token, **kwargs): - token = sessionController.get_token(token, access_token.user) + token = sessionController.get_token(token, access_token._user) if not token: # Return 403 error, so that users can not bruteforce tokens # Valid tokens from other users and invalid tokens now are looking the same diff --git a/flaschengeist/modules/users/__init__.py b/flaschengeist/modules/users/__init__.py index f48cfe5..3f7cec5 100644 --- a/flaschengeist/modules/users/__init__.py +++ b/flaschengeist/modules/users/__init__.py @@ -62,7 +62,7 @@ def __delete_user(uid, **kwargs): @users_bp.route("/users/", methods=["PUT"]) @login_required() -def __edit_user(uid, **kwargs): +def __edit_user(uid, access_token ,**kwargs): logger.debug("Modify information of user {{ {} }}".format(uid)) user = userController.get_user(uid) data = request.get_json() @@ -70,7 +70,7 @@ def __edit_user(uid, **kwargs): password = None new_password = data["new_password"] if "new_password" in data else None - if uid != kwargs["access_token"].user.userid: + if uid != access_token._user.userid: if not user.has_permission(_permission_edit): return Forbidden else: