Fixed hidden attributes in auth and users
This commit is contained in:
parent
6b094bc3f8
commit
a0b8dbe36a
|
@ -76,7 +76,7 @@ def _get_sessions(access_token: Session, **kwargs):
|
||||||
@login_required()
|
@login_required()
|
||||||
def _delete_session(access_token, token, **kwargs):
|
def _delete_session(access_token, token, **kwargs):
|
||||||
logger.debug("Try to delete access token {{ {} }}".format(token))
|
logger.debug("Try to delete access token {{ {} }}".format(token))
|
||||||
token = sessionController.get_session(token, access_token.user)
|
token = sessionController.get_session(token, access_token._user)
|
||||||
if not token:
|
if not token:
|
||||||
logger.debug("Token not found in database!")
|
logger.debug("Token not found in database!")
|
||||||
# Return 403 error, so that users can not bruteforce tokens
|
# Return 403 error, so that users can not bruteforce tokens
|
||||||
|
@ -91,7 +91,7 @@ def _delete_session(access_token, token, **kwargs):
|
||||||
@login_required()
|
@login_required()
|
||||||
def _get_session(token, access_token, **kwargs):
|
def _get_session(token, access_token, **kwargs):
|
||||||
logger.debug("get token {{ {} }}".format(token))
|
logger.debug("get token {{ {} }}".format(token))
|
||||||
session = sessionController.get_session(token, access_token.user)
|
session = sessionController.get_session(token, access_token._user)
|
||||||
if not token:
|
if not token:
|
||||||
# Return 403 error, so that users can not bruteforce tokens
|
# Return 403 error, so that users can not bruteforce tokens
|
||||||
# Valid tokens from other users and invalid tokens now are looking the same
|
# Valid tokens from other users and invalid tokens now are looking the same
|
||||||
|
@ -103,7 +103,7 @@ def _get_session(token, access_token, **kwargs):
|
||||||
@login_required()
|
@login_required()
|
||||||
def _get_assocd_user(token, access_token, **kwargs):
|
def _get_assocd_user(token, access_token, **kwargs):
|
||||||
logger.debug("get token {{ {} }}".format(token))
|
logger.debug("get token {{ {} }}".format(token))
|
||||||
session = sessionController.get_session(token, access_token.user)
|
session = sessionController.get_session(token, access_token._user)
|
||||||
if not token:
|
if not token:
|
||||||
# Return 403 error, so that users can not bruteforce tokens
|
# Return 403 error, so that users can not bruteforce tokens
|
||||||
# Valid tokens from other users and invalid tokens now are looking the same
|
# Valid tokens from other users and invalid tokens now are looking the same
|
||||||
|
@ -114,7 +114,7 @@ def _get_assocd_user(token, access_token, **kwargs):
|
||||||
@auth_bp.route("/auth/<token>", methods=["PUT"])
|
@auth_bp.route("/auth/<token>", methods=["PUT"])
|
||||||
@login_required()
|
@login_required()
|
||||||
def _set_lifetime(token, access_token, **kwargs):
|
def _set_lifetime(token, access_token, **kwargs):
|
||||||
token = sessionController.get_token(token, access_token.user)
|
token = sessionController.get_token(token, access_token._user)
|
||||||
if not token:
|
if not token:
|
||||||
# Return 403 error, so that users can not bruteforce tokens
|
# Return 403 error, so that users can not bruteforce tokens
|
||||||
# Valid tokens from other users and invalid tokens now are looking the same
|
# Valid tokens from other users and invalid tokens now are looking the same
|
||||||
|
|
|
@ -62,7 +62,7 @@ def __delete_user(uid, **kwargs):
|
||||||
|
|
||||||
@users_bp.route("/users/<uid>", methods=["PUT"])
|
@users_bp.route("/users/<uid>", methods=["PUT"])
|
||||||
@login_required()
|
@login_required()
|
||||||
def __edit_user(uid, **kwargs):
|
def __edit_user(uid, access_token ,**kwargs):
|
||||||
logger.debug("Modify information of user {{ {} }}".format(uid))
|
logger.debug("Modify information of user {{ {} }}".format(uid))
|
||||||
user = userController.get_user(uid)
|
user = userController.get_user(uid)
|
||||||
data = request.get_json()
|
data = request.get_json()
|
||||||
|
@ -70,7 +70,7 @@ def __edit_user(uid, **kwargs):
|
||||||
password = None
|
password = None
|
||||||
new_password = data["new_password"] if "new_password" in data else None
|
new_password = data["new_password"] if "new_password" in data else None
|
||||||
|
|
||||||
if uid != kwargs["access_token"].user.userid:
|
if uid != access_token._user.userid:
|
||||||
if not user.has_permission(_permission_edit):
|
if not user.has_permission(_permission_edit):
|
||||||
return Forbidden
|
return Forbidden
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Reference in New Issue