Skip to content

Commit e19e539

Browse files
committed
Fix incorrect access controll
1 parent e047f28 commit e19e539

File tree

2 files changed

+18
-7
lines changed

2 files changed

+18
-7
lines changed

Diff for: api/views/user.py

+17-7
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
from rest_framework import permissions, status, viewsets
2-
from rest_framework.permissions import AllowAny, IsAdminUser
2+
from rest_framework.permissions import AllowAny, IsAdminUser, IsAuthenticated
33
from rest_framework.response import Response
44
from rest_framework.views import APIView
55

@@ -43,6 +43,15 @@ def get(self, request, format=None):
4343
logger.exception(str(e))
4444
return Response({"message": str(e)})
4545

46+
class IsFirstTimeSetupView(APIView):
47+
permission_classes = (AllowAny,)
48+
49+
def get(self, request, format=None):
50+
try:
51+
return Response({"isFirstTimeSetup": not User.objects.filter(is_superuser=True).exists()})
52+
except Exception as e:
53+
logger.exception(str(e))
54+
return Response({"message": str(e)})
4655

4756
class FirstTimeSetupPermission(permissions.BasePermission):
4857
message = "Check if the first time setup is done"
@@ -55,7 +64,7 @@ class UserViewSet(viewsets.ModelViewSet):
5564

5665
serializer_class = UserSerializer
5766

58-
permission_classes = (IsUserOrReadOnly,)
67+
permission_classes = (IsAdminUser,)
5968

6069
def get_queryset(self):
6170
queryset = (
@@ -92,14 +101,15 @@ def get_permissions(self):
92101
self.permission_classes = [
93102
IsRegistrationAllowed | FirstTimeSetupPermission | IsAdminUser
94103
]
95-
elif self.action == "list":
96-
self.permission_classes = (AllowAny,)
97-
elif self.request.method == "GET" or self.request.method == "POST":
104+
if self.request.method == "POST":
98105
self.permission_classes = (AllowAny,)
99-
else:
100-
self.permission_classes = (IsUserOrReadOnly,)
101106
return super(UserViewSet, self).get_permissions()
102107

108+
def create(self, request, *args, **kwargs):
109+
if User.objects.filter(is_superuser=True).exists() and not request.user.is_superuser:
110+
return Response(status=status.HTTP_401_UNAUTHORIZED)
111+
return super(UserViewSet, self).create(request, *args, **kwargs)
112+
103113
def retrieve(self, *args, **kwargs):
104114
return super(UserViewSet, self).retrieve(*args, **kwargs)
105115

Diff for: ownphotos/urls.py

+1
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,7 @@ def post(self, request, *args, **kwargs):
193193
url(r"^", include(router.urls)),
194194
url(r"^admin/", admin.site.urls),
195195
url(r"^api/sitesettings", views.SiteSettingsView.as_view()),
196+
url(r"^api/firsttimesetup", user.IsFirstTimeSetupView.as_view()),
196197
url(r"^api/dirtree", user.RootPathTreeView.as_view()),
197198
url(r"^api/labelfaces", faces.SetFacePersonLabel.as_view()),
198199
url(r"^api/deletefaces", faces.DeleteFaces.as_view()),

0 commit comments

Comments
 (0)