nofusscomputing/centurion_erp
1
0
Fork 0
Code Issues Wiki Activity

fix(api): ensure proper permission checking

Browse Source 
!24 fixes #55
This commit is contained in:
Jon Lockwood
2024-06-11 22:17:53 +09:30
parent 2252c86f71
commit 505f4cfdd9
3 changed files with 47 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/access/mixin.py
View File

@ -150,7 +150,7 @@ class OrganizationMixin():
# ToDo: Ensure that the group has access to item
def has_organization_permission(self, organization=None) -> bool:
def has_organization_permission(self, organization: int=None) -> bool:
has_permission = False

57
app/api/views/itam/inventory.py
View File

@ -2,7 +2,7 @@
import json
import re
from django.http import JsonResponse
from django.http import Http404, JsonResponse
from django.utils import timezone
from rest_framework import generics, views
@ -36,44 +36,57 @@ class InventoryPermissions(OrganizationPermissionAPI):
class Collect(OrganizationMixin, views.APIView):
class Collect(OrganizationPermissionAPI, views.APIView):
permission_classes = [
InventoryPermissions
]
# permission_classes = [
# InventoryPermissions
# ]
queryset = Device.objects.all()
def post(self, request, *args, **kwargs):
data = json.loads(request.body)
# data = self.request.data
device = None
self.default_organization = UserSettings.objects.get(user=request.user).default_organization
if Device.objects.filter(slug=str(data['details']['name']).lower()).exists():
self.obj = Device.objects.get(slug=str(data['details']['name']).lower())
device = self.obj
if not self.permission_check(request=request, view=self, obj=device):
raise Http404
status = Http.Status.BAD_REQUEST
device = None
device_operating_system = None
operating_system = None
operating_system_version = None
try:
default_organization = UserSettings.objects.get(user=request.user).default_organization
app_settings = AppSettings.objects.get(owner_organization = None)
if Device.objects.filter(name=data['details']['name']).exists():
device = Device.objects.get(name=data['details']['name'])
else: # Create the device
if not device: # Create the device
device = Device.objects.create(
name = data['details']['name'],
device_type = None,
serial_number = data['details']['serial_number'],
uuid = data['details']['uuid'],
organization = default_organization,
organization = self.default_organization,
)
status = Http.Status.CREATED
@ -87,7 +100,7 @@ class Collect(OrganizationMixin, views.APIView):
operating_system = OperatingSystem.objects.create(
name = data['os']['name'],
organization = default_organization,
organization = self.default_organization,
is_global = True
)
@ -95,7 +108,7 @@ class Collect(OrganizationMixin, views.APIView):
if OperatingSystemVersion.objects.filter( name=data['os']['version_major'], operating_system=operating_system ).exists():
operating_system_version = OperatingSystemVersion.objects.get(
organization = default_organization,
organization = self.default_organization,
is_global = True,
name = data['os']['version_major'],
operating_system = operating_system
@ -104,7 +117,7 @@ class Collect(OrganizationMixin, views.APIView):
else: # Create Operating System Version
operating_system_version = OperatingSystemVersion.objects.create(
organization = default_organization,
organization = self.default_organization,
is_global = True,
name = data['os']['version_major'],
operating_system = operating_system,
@ -128,7 +141,7 @@ class Collect(OrganizationMixin, views.APIView):
else: # Create Operating System Version
device_operating_system = DeviceOperatingSystem.objects.create(
organization = default_organization,
organization = self.default_organization,
device=device,
version = data['os']['version'],
operating_system_version = operating_system_version,
@ -223,7 +236,7 @@ class Collect(OrganizationMixin, views.APIView):
else: # Create Software Category
software_version = SoftwareVersion.objects.create(
organization = default_organization,
organization = self.default_organization,
is_global = True,
name = semver,
software = software,
@ -240,7 +253,7 @@ class Collect(OrganizationMixin, views.APIView):
else: # Create Software
device_software = DeviceSoftware.objects.create(
organization = default_organization,
organization = self.default_organization,
is_global = True,
installedversion = software_version,
software = software,
@ -284,7 +297,9 @@ class Collect(OrganizationMixin, views.APIView):
device.save()
status = Http.Status.OK
if status != Http.Status.CREATED:
status = Http.Status.OK
except Exception as e:

14
app/api/views/mixin.py
View File

@ -1,4 +1,4 @@
from django.core.exceptions import PermissionDenied
from django.forms import ValidationError
from rest_framework.permissions import DjangoObjectPermissions
@ -50,7 +50,6 @@ class OrganizationPermissionAPI(DjangoObjectPermissions, OrganizationMixin):
raise ValidationError('you must provide an organization')
object_organization = int(request.data['organization'])
elif method == 'patch':
action = 'change'
@ -126,12 +125,17 @@ class OrganizationPermissionAPI(DjangoObjectPermissions, OrganizationMixin):
return True
if hasattr(self, 'default_organization'):
object_organization = self.default_organization
if object_organization is None:
if method == 'post' and hasattr(self, 'default_organization'):
raise Exception("unable to determine object organization")
if self.default_organization:
object_organization = self.default_organization.id
if not self.has_organization_permission(object_organization) and not request.user.is_superuser:
return False
raise PermissionDenied('You are not part of this organization')
return True