New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add permission checks to Rest API #18639

Merged
merged 7 commits into from Nov 25, 2018

Conversation

Projects
None yet
3 participants
@balloob
Member

balloob commented Nov 22, 2018

Description:

This adds permission checks to the Rest API.

Since a lot of these APIs directly touch the core pieces of HA, they are limited to admin only (updating states, streaming all events, rendering arbitrary templates).

Checklist:

  • The code change is tested and works locally.
  • Local tests pass with tox. Your PR cannot be merged unless tests pass
  • There is no commented out code in this PR.

If the code does not interact with devices:

  • Tests have been added to verify that the new code works.

@balloob balloob requested a review from home-assistant/core as a code owner Nov 22, 2018

@wafflebot wafflebot bot added the in progress label Nov 22, 2018

@balloob balloob force-pushed the perm-states-view branch from 72d28f4 to 4a7d647 Nov 22, 2018

@pvizeli

This comment has been minimized.

Member

pvizeli commented Nov 22, 2018

Can we put Hass.io user first into admin group?

@pvizeli

This comment has been minimized.

Member

pvizeli commented Nov 22, 2018

After this PR we can also start to remove the legacy API password :P

@balloob

This comment has been minimized.

Member

balloob commented Nov 22, 2018

This should not be a breaking change. I'll fix the Hass.io user and put it in the admin group. After that it should not be one?

@balloob

This comment has been minimized.

Member

balloob commented Nov 23, 2018

Updated so that Hass.io component migrates existing user to admin and new users will also be created as admin.

balloob added some commits Nov 21, 2018

@pvizeli

This comment has been minimized.

Member

pvizeli commented Nov 23, 2018

All script they use new long live token doesn't work anymore if they create it with none admin users -> breaking changes? Also scripts with old API token system. That affected a lot of installations.

@balloob balloob force-pushed the perm-states-view branch from a84ca6d to a38213a Nov 23, 2018

@balloob

This comment has been minimized.

Member

balloob commented Nov 23, 2018

All existing users are part of the admin group. Only system users were not automatically migrated but that's only needed for Hass.io, which I have added.

@balloob

This comment has been minimized.

Member

balloob commented Nov 23, 2018

About removing the legacy API password -> we need to update all HTTP tests to be using access tokens first…

@pvizeli pvizeli merged commit 8b8629a into dev Nov 25, 2018

6 checks passed

Hound No violations found. Woof!
WIP ready for review
Details
cla-bot Everyone involved has signed the CLA
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
coverage/coveralls Coverage decreased (-0.006%) to 93.003%
Details

@wafflebot wafflebot bot removed the in progress label Nov 25, 2018

@pvizeli pvizeli deleted the perm-states-view branch Nov 25, 2018

@balloob balloob added this to the 0.83 milestone Nov 27, 2018

balloob added a commit that referenced this pull request Nov 27, 2018

Add permission checks to Rest API (#18639)
* Add permission checks to Rest API

* Clean up unnecessary method

* Remove all the tuple stuff from entity check

* Simplify perms

* Correct param name for owner permission

* Hass.io make/update user to be admin

* Types

@balloob balloob referenced this pull request Nov 29, 2018

Merged

0.83 #18776

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment