Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix incorrect access controll
  • Loading branch information
derneuere committed Jan 8, 2023
1 parent e047f28 commit e19e539
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
24 changes: 17 additions & 7 deletions api/views/user.py
@@ -1,5 +1,5 @@
from rest_framework import permissions, status, viewsets
from rest_framework.permissions import AllowAny, IsAdminUser
from rest_framework.permissions import AllowAny, IsAdminUser, IsAuthenticated
from rest_framework.response import Response
from rest_framework.views import APIView

Expand Down Expand Up @@ -43,6 +43,15 @@ def get(self, request, format=None):
logger.exception(str(e))
return Response({"message": str(e)})

class IsFirstTimeSetupView(APIView):
permission_classes = (AllowAny,)

def get(self, request, format=None):
try:
return Response({"isFirstTimeSetup": not User.objects.filter(is_superuser=True).exists()})
except Exception as e:
logger.exception(str(e))
return Response({"message": str(e)})

class FirstTimeSetupPermission(permissions.BasePermission):
message = "Check if the first time setup is done"
Expand All @@ -55,7 +64,7 @@ class UserViewSet(viewsets.ModelViewSet):

serializer_class = UserSerializer

permission_classes = (IsUserOrReadOnly,)
permission_classes = (IsAdminUser,)

def get_queryset(self):
queryset = (
Expand Down Expand Up @@ -92,14 +101,15 @@ def get_permissions(self):
self.permission_classes = [
IsRegistrationAllowed | FirstTimeSetupPermission | IsAdminUser
]
elif self.action == "list":
self.permission_classes = (AllowAny,)
elif self.request.method == "GET" or self.request.method == "POST":
if self.request.method == "POST":
self.permission_classes = (AllowAny,)
else:
self.permission_classes = (IsUserOrReadOnly,)
return super(UserViewSet, self).get_permissions()

def create(self, request, *args, **kwargs):
if User.objects.filter(is_superuser=True).exists() and not request.user.is_superuser:
return Response(status=status.HTTP_401_UNAUTHORIZED)
return super(UserViewSet, self).create(request, *args, **kwargs)

def retrieve(self, *args, **kwargs):
return super(UserViewSet, self).retrieve(*args, **kwargs)

Expand Down
1 change: 1 addition & 0 deletions ownphotos/urls.py
Expand Up @@ -193,6 +193,7 @@ def post(self, request, *args, **kwargs):
url(r"^", include(router.urls)),
url(r"^admin/", admin.site.urls),
url(r"^api/sitesettings", views.SiteSettingsView.as_view()),
url(r"^api/firsttimesetup", user.IsFirstTimeSetupView.as_view()),
url(r"^api/dirtree", user.RootPathTreeView.as_view()),
url(r"^api/labelfaces", faces.SetFacePersonLabel.as_view()),
url(r"^api/deletefaces", faces.DeleteFaces.as_view()),
Expand Down

0 comments on commit e19e539

Please sign in to comment.