API: Clarify session validity codepaths

2021-01-20 12:37:34 +01:00
parent 3388c3ab09
commit 65e3efa5a3
3 changed files with 33 additions and 1 deletions
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -89,10 +89,38 @@ class EventCRUDPermission(EventPermission):
 class ProfilePermission(BasePermission):

    def has_permission(self, request, view):
-        if not request.user.is_authenticated:
+        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
            return False

+        if request.user.is_authenticated:
+            try:
+                # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+                assert_session_valid(request)
+            except SessionInvalid:
+                return False
+            except SessionReauthRequired:
+                return False
+
        if isinstance(request.auth, OAuthAccessToken):
            if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes(['profile'])) and request.method in SAFE_METHODS:
                return False
+
+        return True
+
+
+class AnyAuthenticatedClientPermission(BasePermission):
+
+    def has_permission(self, request, view):
+        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
+            return False
+
+        if request.user.is_authenticated:
+            try:
+                # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+                assert_session_valid(request)
+            except SessionInvalid:
+                return False
+            except SessionReauthRequired:
+                return False
+
        return True
--- a/src/pretix/api/views/upload.py
+++ b/src/pretix/api/views/upload.py
@@ -9,6 +9,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView

 from pretix.api.auth.device import DeviceTokenAuthentication
+from pretix.api.auth.permission import AnyAuthenticatedClientPermission
 from pretix.api.auth.token import TeamTokenAuthentication
 from pretix.base.models import CachedFile

@@ -25,6 +26,7 @@ class UploadView(APIView):
        SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
    )
    parser_classes = [FileUploadParser]
+    permission_classes = [AnyAuthenticatedClientPermission]

    def post(self, request):
        if 'file' not in request.data:
--- a/src/pretix/api/views/version.py
+++ b/src/pretix/api/views/version.py
@@ -6,6 +6,7 @@ from rest_framework.views import APIView

 from pretix import __version__
 from pretix.api.auth.device import DeviceTokenAuthentication
+from pretix.api.auth.permission import AnyAuthenticatedClientPermission
 from pretix.api.auth.token import TeamTokenAuthentication


@@ -48,6 +49,7 @@ class VersionView(APIView):
    authentication_classes = (
        SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
    )
+    permission_classes = [AnyAuthenticatedClientPermission]

    def get(self, request, format=None):
        return Response({