CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

API: Clarify session validity codepaths

Browse Source
This commit is contained in:
Raphael Michel
2021-01-20 12:37:34 +01:00
parent 3388c3ab09
commit 65e3efa5a3
3 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/pretix/api/auth/permission.py
View File

@@ -89,10 +89,38 @@ class EventCRUDPermission(EventPermission):
class ProfilePermission(BasePermission): class ProfilePermission(BasePermission):
def has_permission(self, request, view): def has_permission(self, request, view):
if not request.user.is_authenticated: if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
return False return False
if request.user.is_authenticated:
try:
# If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
assert_session_valid(request)
except SessionInvalid:
return False
except SessionReauthRequired:
return False
if isinstance(request.auth, OAuthAccessToken): if isinstance(request.auth, OAuthAccessToken):
if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes(['profile'])) and request.method in SAFE_METHODS: if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes(['profile'])) and request.method in SAFE_METHODS:
return False return False
return True
class AnyAuthenticatedClientPermission(BasePermission):
def has_permission(self, request, view):
if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
return False
if request.user.is_authenticated:
try:
# If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
assert_session_valid(request)
except SessionInvalid:
return False
except SessionReauthRequired:
return False
return True return True

2
src/pretix/api/views/upload.py
View File

@@ -9,6 +9,7 @@ from rest_framework.response import Response
from rest_framework.views import APIView from rest_framework.views import APIView
from pretix.api.auth.device import DeviceTokenAuthentication from pretix.api.auth.device import DeviceTokenAuthentication
from pretix.api.auth.permission import AnyAuthenticatedClientPermission
from pretix.api.auth.token import TeamTokenAuthentication from pretix.api.auth.token import TeamTokenAuthentication
from pretix.base.models import CachedFile from pretix.base.models import CachedFile
@@ -25,6 +26,7 @@ class UploadView(APIView):
SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
) )
parser_classes = [FileUploadParser] parser_classes = [FileUploadParser]
permission_classes = [AnyAuthenticatedClientPermission]
def post(self, request): def post(self, request):
if 'file' not in request.data: if 'file' not in request.data:

2
src/pretix/api/views/version.py
View File

@@ -6,6 +6,7 @@ from rest_framework.views import APIView
from pretix import __version__ from pretix import __version__
from pretix.api.auth.device import DeviceTokenAuthentication from pretix.api.auth.device import DeviceTokenAuthentication
from pretix.api.auth.permission import AnyAuthenticatedClientPermission
from pretix.api.auth.token import TeamTokenAuthentication from pretix.api.auth.token import TeamTokenAuthentication
@@ -48,6 +49,7 @@ class VersionView(APIView):
authentication_classes = ( authentication_classes = (
SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
) )
permission_classes = [AnyAuthenticatedClientPermission]
def get(self, request, format=None): def get(self, request, format=None):
return Response({ return Response({