Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug: anonymous user should not get guillotina.Authenticated #744

Merged
merged 6 commits into from Nov 27, 2019
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -4,6 +4,9 @@ CHANGELOG
5.1.19 (unreleased)
-------------------

- Fix security bug: anonymous users were being granted
guillotina.Authenticated [lferran]

- Update default zope.interface to 4.7.1
[bloodbare]

@@ -59,3 +59,8 @@ def __init__(self):
super().__init__()
self.id = ANONYMOUS_USER_ID
self._roles["guillotina.Anonymous"] = Allow

@property
def roles(self):
# This prevents roles from being modified for anonymous user
return self._roles.copy()
@@ -3,6 +3,7 @@
from guillotina import task_vars
from guillotina._settings import app_settings
from guillotina.auth import groups # noqa
from guillotina.auth.users import AnonymousUser
from guillotina.auth.users import ROOT_USER_ID
from guillotina.component import get_utility
from guillotina.interfaces import IApplication
@@ -31,7 +32,7 @@


def set_authenticated_user(user):
if user is not None:
This conversation was marked as resolved by lferran

This comment has been minimized.

Copy link
@vangheem

vangheem Nov 27, 2019

Member

Instead of removing this and hardcoding guillotina.Authenticated into the anon user object, can we just make the roles not editable on the anon user object?

This comment has been minimized.

Copy link
@lferran

lferran Nov 27, 2019

Author Contributor

done

if user is not None and not isinstance(user, AnonymousUser):
policy = get_security_policy(user)
policy.invalidate_cache()
if hasattr(user, "roles") and "guillotina.Authenticated" not in user.roles:
@@ -198,6 +198,18 @@ def sync_foobar_sub(ob, evt):
raise HTTPUnprocessableEntity()


# Create a new permission and grant it to authenticated users only
configure.permission("example.EndpointPermission", "example permission")
configure.grant(permission="example.EndpointPermission", role="guillotina.Authenticated")


@configure.service(
context=IApplication, method="GET", permission="example.EndpointPermission", name="@myEndpoint"
)
async def my_endpoint(context, request):
return {"foo": "bar"}


class ITestAsyncUtility(IAsyncUtility):
pass

@@ -645,6 +645,13 @@ def uninstall(cls, container, request):
assert status == 422


async def test_anonymous_user_does_not_get_authenticated_role(container_requester):
async with container_requester as requester:
# Make call as anonymous user
_, status = await requester("GET", "/@myEndpoint", auth_type="Bearer", token="foo")
assert status == 401


async def test_addable_types(container_requester):
async with container_requester as requester:
response, status = await requester("GET", "/db/guillotina/@addable-types")
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.