From 2d37c6d94d13f8ab2f4c6015904eb12ab2d2380c Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Tue, 2 Apr 2019 09:36:07 +0200 Subject: [PATCH] Make device token revokation more explicit --- src/pretix/api/auth/device.py | 2 +- .../migrations/0116_auto_20190402_0722.py | 22 +++++++++++++++++++ src/pretix/base/models/devices.py | 1 + .../organizers/device_revoke.html | 7 ++++++ src/tests/api/test_auth.py | 3 ++- 5 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 src/pretix/base/migrations/0116_auto_20190402_0722.py diff --git a/src/pretix/api/auth/device.py b/src/pretix/api/auth/device.py index 370038308..8bc3ee2ec 100644 --- a/src/pretix/api/auth/device.py +++ b/src/pretix/api/auth/device.py @@ -19,7 +19,7 @@ class DeviceTokenAuthentication(TokenAuthentication): if not device.initialized: raise exceptions.AuthenticationFailed('Device has not been initialized.') - if not device.api_token: + if device.revoked: raise exceptions.AuthenticationFailed('Device access has been revoked.') return AnonymousUser(), device diff --git a/src/pretix/base/migrations/0116_auto_20190402_0722.py b/src/pretix/base/migrations/0116_auto_20190402_0722.py new file mode 100644 index 000000000..7d1c5d62a --- /dev/null +++ b/src/pretix/base/migrations/0116_auto_20190402_0722.py @@ -0,0 +1,22 @@ +# Generated by Django 2.1.5 on 2019-04-02 07:22 + +import django.db.models.deletion +import jsonfallback.fields +from django.db import migrations, models + +import pretix.base.models.fields + + +class Migration(migrations.Migration): + + dependencies = [ + ('pretixbase', '0115_auto_20190323_2238'), + ] + + operations = [ + migrations.AddField( + model_name='device', + name='revoked', + field=models.BooleanField(default=False), + ), + ] diff --git a/src/pretix/base/models/devices.py b/src/pretix/base/models/devices.py index 99feba2d3..69f9ae343 100644 --- a/src/pretix/base/models/devices.py +++ b/src/pretix/base/models/devices.py @@ -41,6 +41,7 @@ class Device(LoggedModel): api_token = models.CharField(max_length=190, unique=True, null=True) all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)")) limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True) + revoked = models.BooleanField(default=False) name = models.CharField( max_length=190, verbose_name=_('Name') diff --git a/src/pretix/control/templates/pretixcontrol/organizers/device_revoke.html b/src/pretix/control/templates/pretixcontrol/organizers/device_revoke.html index a09f5643d..a1369900d 100644 --- a/src/pretix/control/templates/pretixcontrol/organizers/device_revoke.html +++ b/src/pretix/control/templates/pretixcontrol/organizers/device_revoke.html @@ -9,6 +9,13 @@ {% blocktrans %}Are you sure you want remove access for this device?{% endblocktrans %} {% trans "All data of this device will stay available, but you can't use the device any more." %}

+
+ +
{% trans "Cancel" %} diff --git a/src/tests/api/test_auth.py b/src/tests/api/test_auth.py index c3b8f1daf..4c2b3af6c 100644 --- a/src/tests/api/test_auth.py +++ b/src/tests/api/test_auth.py @@ -72,7 +72,8 @@ def test_device_auth_valid(client, device): @pytest.mark.django_db def test_device_auth_revoked(client, device): client.credentials(HTTP_AUTHORIZATION='Device ' + device.api_token) - device.api_token = None + device.revoked = True device.save() resp = client.get('/api/v1/organizers/') assert resp.status_code == 401 + assert str(resp.data['detail']) == "Device access has been revoked."