From b535df5615c253d61e1a4877cb911560360ec0b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rajmund=20Hru=C5=A1ka?= <rajmund.hruska@cesnet.cz> Date: Wed, 8 Mar 2023 14:07:59 +0100 Subject: [PATCH] Restrict getClients API to clients with 'manage' flag --- warden_server/warden_server.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/warden_server/warden_server.py b/warden_server/warden_server.py index ffe7ce3..c68e7a1 100755 --- a/warden_server/warden_server.py +++ b/warden_server/warden_server.py @@ -305,6 +305,12 @@ class PlainAuthenticator(ObjectBase): return None return client + if method.manage: + if not client.manage: + self.log.info("authorize: failed, client does not have manage enabled") + return None + return client + if method.read: if not client.read: self.log.info("authorize: failed, client does not have read enabled") @@ -1431,13 +1437,14 @@ class PostgreSQL(DataBase): return ["DELETE FROM events WHERE id <= %s"], [(id_,)], 0 -def expose(read=True, write=False, debug=False): +def expose(read=True, write=False, debug=False, manage=False): def expose_deco(meth): meth.exposed = True meth.read = read meth.write = write meth.debug = debug + meth.manage = manage if not hasattr(meth, "arguments"): meth.arguments = get_method_params(meth) return meth @@ -1630,7 +1637,7 @@ class WardenHandler(ObjectBase): info["description"] = self.description return info - @expose(read=True) + @expose(manage=True) @json_wrapper def getClients(self): clients = self.db.get_clients() -- GitLab