fix: Check user permission before exporting #6581
Conversation
prateekj117
changed the title
Codecov Report
@@ Coverage Diff @@
## development #6581 +/- ##
===============================================
+ Coverage 65.03% 65.31% +0.27%
===============================================
Files 296 297 +1
Lines 15247 15227 -20
===============================================
+ Hits 9916 9945 +29
+ Misses 5331 5282 -49
Continue to review full report at Codecov.
|
prateekj117
changed the title
|
@iamareebjamal Please review. This will require some changes. I don't get the purpose of passing an argument. |
|
@iamareebjamal Done. Please review. |
app/api/helpers/permissions.py
Outdated
| user.is_moderator(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): | ||
| user.is_moderator(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): |
There was a problem hiding this comment.
continuation line with same indent as next logical line
app/api/helpers/permissions.py
Outdated
| user.is_track_organizer(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): | ||
| user.is_track_organizer(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): |
There was a problem hiding this comment.
continuation line with same indent as next logical line
app/api/helpers/permissions.py
Outdated
| user.is_registrar(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): | ||
| user.is_registrar(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): |
There was a problem hiding this comment.
continuation line with same indent as next logical line
app/api/helpers/exceptions.py
Outdated
| @@ -1,4 +1,6 @@ | |||
| from flask_rest_jsonapi.exceptions import JsonApiException | |||
| from flask_rest_jsonapi.errors import jsonapi_errors | |||
| from flask import make_response, json, abort | |||
There was a problem hiding this comment.
'flask.abort' imported but unused
'flask.json' imported but unused
'flask.make_response' imported but unused
app/api/helpers/exceptions.py
Outdated
| @@ -1,4 +1,6 @@ | |||
| from flask_rest_jsonapi.exceptions import JsonApiException | |||
| from flask_rest_jsonapi.errors import jsonapi_errors | |||
There was a problem hiding this comment.
'flask_rest_jsonapi.errors.jsonapi_errors' imported but unused
|
@iamareebjamal Done. Please review. |
app/api/exports.py
Outdated
| @@ -6,7 +6,7 @@ | |||
|
|
|||
| from app.api.helpers.export_helpers import export_event_json, create_export_job | |||
| from app.api.helpers.permission_manager import has_access | |||
| from app.api.helpers.exceptions import assert_forbidden | |||
| from app.api.helpers.permissions import assert_forbidden | |||
app/api/helpers/permissions.py
Outdated
| @@ -257,3 +260,10 @@ def decorated_function(*args, **kwargs): | |||
| return f(*args, **kwargs) | |||
|
|
|||
| return decorated_function | |||
|
|
|||
|
|
|||
| def assert_forbidden(access_level): | |||
There was a problem hiding this comment.
| def assert_forbidden(access_level): | |
| def assert_forbidden(has_access): |
app/api/helpers/permissions.py
Outdated
| from flask_jwt_extended import verify_jwt_in_request, current_user | ||
|
|
||
| from app.api.helpers.db import save_to_db | ||
| from app.api.helpers.errors import ForbiddenError | ||
| from app.api.helpers.exceptions import ForbiddenException |
There was a problem hiding this comment.
'app.api.helpers.exceptions.ForbiddenException' imported but unused
|
@iamareebjamal Done. Please review now. |
app/api/helpers/permissions.py
Outdated
| user.is_moderator(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): | ||
| user.is_moderator(kwargs['event_id']) or | ||
| user.has_event_access(kwargs['event_id'])): |
There was a problem hiding this comment.
Revert changes in this file. And create a decorator in this file similar to others and apply that to the functions
There was a problem hiding this comment.
@iamareebjamal But these are the simple indentation corrections, I don't see the point of reverting those changes.
There was a problem hiding this comment.
Formatting changes should be done in separate PRs. Someone will be trying to debug something and see the blame and blame you for last modifying and breaking something in a PR for fixing permissions whereas you only indented files
prateekj117
force-pushed
the
event-export-permissions
branch
from
500e9ad to
677c138
Compare
|
@iamareebjamal Please review. |
|
Everything is obviously broken. Please test before asking for review |
app/api/exports.py
Outdated
| @@ -264,6 +275,7 @@ def export_speakers_csv(event_identifier): | |||
|
|
|||
| @export_routes.route('/events/<string:event_identifier>/export/sessions/pdf', methods=['GET'], | |||
| endpoint='export_sessions_pdf') | |||
| @get_event_id | |||
| @is_coorganizer | |||
| def export_sessions_pdf(event_identifier): | |||
There was a problem hiding this comment.
Now this should be event_id and conversion in each function should be removed
There was a problem hiding this comment.
I will edit the logic accordingly.
|
@iamareebjamal Please review. |
|
@kushthedude Review. There are a lot of PRs open, but not reviewed. We need to move forward with new Order API and can't until the deck is cleared |
| if 'event_id' in kwargs and user.has_event_access(kwargs['event_id']): | ||
| if user.is_staff or ('event_id' in kwargs and user.has_event_access(kwargs['event_id'])): | ||
| if 'event_identifier' in kwargs: | ||
| kwargs.pop('event_identifier', None) |
There was a problem hiding this comment.
Because then we will also have to pass an additional parameter of event_identifier in the function after using this decorator which is not used anywhere.
There was a problem hiding this comment.
But this can break a function where they actually are passing event_identifier
There was a problem hiding this comment.
@iamareebjamal Already considered this point. Check the implementation of the older is_coorganizer function, it always used to check using event_id only.
There was a problem hiding this comment.
That's not what I'm talking about. Consider a function where event_identifier is being received as a parameter and this decorator is applied there
There was a problem hiding this comment.
@iamareebjamal Considered this as well. It isn't the case anywhere right now.
There was a problem hiding this comment.
Right now isn't good enough, try to create a method with this decorator and see if it fails
There was a problem hiding this comment.
@iamareebjamal It will fail in case if the function wants event_identifier.
|
Depends on #6610 |
|
@iamareebjamal Please merge this. |
|
How can 6581 depend on 6610? |
|
Besides, this has no relation to 6610 |
|
@iamareebjamal My bad. Wanted to comment this on a other PR. |
|
Not much time to move ahead and be perfect with everything. So, will merge after requested changes are addressed @prateekj117 |
Co-Authored-By: Areeb Jamal <[email protected]>
app/api/helpers/permissions.py
Outdated
| else: | ||
| kwargs['event_id'] = kwargs['event_identifier'] | ||
|
|
||
| return f(*args, **kwargs) |
app/api/helpers/permissions.py
Outdated
| :return: | ||
| """ | ||
|
|
||
| @wraps(f) |
Co-Authored-By: Areeb Jamal <[email protected]>
Co-Authored-By: Areeb Jamal <[email protected]>
|
@iamareebjamal Done. |
|
Everything is broken |
|
@prateekj117 When can this be finalized |
|
@iamareebjamal Done. |
|
Issues
======
+ Solved 2
Clones removed
==============
+ app/api/exports.py -11
See the complete overview on Codacy |
|
Create an issue to fix |
Fixes #6571
Short description of what this resolves:
Export event has some information which should not be available to a normal user. So check user permissions before exporting an event.
Checklist
developmentbranch.