Merge 13a9f36 into c54a1fb

vantage6 · Dec 20, 2023 · d7c6b0a · d7c6b0a
2 parents c54a1fb + 13a9f36
commit d7c6b0a
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 10 deletions.
diff --git a/docs/release_notes.rst b/docs/release_notes.rst
@@ -1,6 +1,23 @@
 Release notes
 =============
 
+4.1.3
+-----
+
+*19 December 2023*
+
+- **Bugfix**
+
+ - Server logs were not persisted properly
+   (`Issue#951 <https://github.com/vantage6/vantage6/issues/951>`_,
+   `PR#953 <https://github.com/vantage6/vantage6/pull/953>`_).
+ - Fixed validation of request to recover two-factor authentication secret
+   (`PR#941 <https://github.com/vantage6/vantage6/pull/941>`_).
+ - Default roles were visible via GET ``/role`` but not via GET ``/role/<id>``
+   for users without global role view permission. Now they are visible via both
+   (`PR#948 <https://github.com/vantage6/vantage6/pull/948>`_).
+
+
 4.1.2
 -----
 

diff --git a/docs/server/yaml/server_config.yaml b/docs/server/yaml/server_config.yaml
@@ -29,6 +29,10 @@ uri: sqlite:///test.sqlite
 # testing/developing.
 allow_drop_all: True
 
+# Enable or disable two-factor authentication. If enabled, users will be
+# presented with a QR-code to scan with their phone the first time they log in.
+two_factor_auth: true
+
 # The secret key used to generate JWT authorization tokens. This should
 # be kept secret as others are able to generate access tokens if they
 # know this secret. This parameter is optional. In case it is not

diff --git a/vantage6-server/vantage6/server/resource/common/input_schema.py b/vantage6-server/vantage6/server/resource/common/input_schema.py
@@ -257,7 +257,20 @@ class RecoverPasswordInputSchema(Schema):
     username = fields.String(validate=Length(max=_MAX_LEN_NAME))
 
     @validates_schema
-    def validate_email_or_username(self, data, **kwargs):
+    def validate_email_or_username(self, data: dict, **kwargs) -> None:
+        """
+        Validate the input, which should contain either an email or username.
+
+        Parameters
+        ----------
+        data : dict
+            The input data. Should contain an email or username.
+
+        Raises
+        ------
+        ValidationError
+            If the input does not contain an email or username.
+        """
         if not ('email' in data or 'username' in data):
             raise ValidationError('Email or username is required')
 
@@ -268,20 +281,22 @@ class ResetPasswordInputSchema(_PasswordValidationSchema):
                                 validate=Length(max=_MAX_LEN_STR_LONG))
 
 
-class Recover2FAInputSchema(_PasswordValidationSchema):
+class Recover2FAInputSchema(Schema):
     """ Schema for validating input for recovering 2FA. """
     email = fields.Email()
     username = fields.String(validate=Length(max=_MAX_LEN_NAME))
+    password = fields.String(required=True, validate=Length(
+        min=1, max=_MAX_LEN_PW))
 
     @validates_schema
-    def validate_email_or_username(self, data: dict, **kwargs):
+    def validate_email_or_username(self, data: dict, **kwargs) -> None:
         """
         Validate the input, which should contain either an email or username.
 
         Parameters
         ----------
         data : dict
-            The input data.
+            The input data. Should contain an email or username.
 
         Raises
         ------

diff --git a/vantage6-server/vantage6/server/resource/recover.py b/vantage6-server/vantage6/server/resource/recover.py
@@ -382,7 +382,7 @@ def post(self):
             log.info("Someone request 2FA reset for non-existing account"
                      f" {account_name}")
             # we do not tell them.... But we won't continue either
-            return ret
+            return ret, HTTPStatus.OK
 
         # check password
         user, code = user_login(self.config, user.username, password,
@@ -431,7 +431,7 @@ def post(self):
             )
         )
 
-        return ret
+        return ret, HTTPStatus.OK
 
 
 class ChangePassword(ServicesResources):

diff --git a/vantage6-server/vantage6/server/resource/role.py b/vantage6-server/vantage6/server/resource/role.py
@@ -482,12 +482,16 @@ def get(self, id):
             return {"msg": f"Role with id={id} not found."}, \
                 HTTPStatus.NOT_FOUND
 
-        # check permissions. A user can always view their own roles
+        # check permissions. A user can always view their own roles. Roles
+        # that are not assigned to a specific organization can be viewed by
+        # anyone with at least organization permission
         if not (
             self.r.can_for_org(P.VIEW, role.organization_id) or
-            role in g.user.roles
+            role in g.user.roles or
+            (role.name in [role for role in DefaultRole] and
+             self.r.has_at_least_scope(Scope.ORGANIZATION, P.VIEW))
         ):
-            return {"msg": "You do not have permission to view this."},\
+            return {"msg": "You do not have permission to view this."}, \
                     HTTPStatus.UNAUTHORIZED
 
         return role_schema.dump(role, many=False), HTTPStatus.OK

diff --git a/vantage6/vantage6/cli/node/start.py b/vantage6/vantage6/cli/node/start.py
@@ -296,7 +296,7 @@ def cli_node_start(name: str, config: str, system_folders: bool, image: str,
         tty=True
     )
 
-    info(f"Success! container id = {container}")
+    info("Node container was successfully started!")
 
     if attach:
         logs = container.attach(stream=True, logs=True)
@@ -309,3 +309,6 @@ def cli_node_start(name: str, config: str, system_folders: bool, image: str,
                 info("Note that your node is still running! Shut it down with "
                      f"'{Fore.RED}v6 node stop{Style.RESET_ALL}'")
                 exit(0)
+    else:
+        info(f"To see the logs, run: {Fore.GREEN}v6 node attach --name "
+             f"{ctx.name}{Style.RESET_ALL}")