diff --git a/data/model/legacy.py b/data/model/legacy.py index cd21cef57..059e76c8e 100644 --- a/data/model/legacy.py +++ b/data/model/legacy.py @@ -1288,7 +1288,10 @@ def set_user_repo_permission(username, namespace_name, repository_name, if username == namespace_name: raise DataModelException('Namespace owner must always be admin.') - user = User.get(User.username == username) + try: + user = User.get(User.username == username) + except User.DoesNotExist: + raise InvalidUsernameException('Invalid username: %s' % username) return __set_entity_repo_permission(user, 'user', namespace_name, repository_name, role_name) diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index 7ba2500a1..f248c8f8d 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -210,7 +210,10 @@ def validate_json_request(schema_name): def request_error(exception=None, **kwargs): data = kwargs.copy() - raise InvalidRequest(exception.message, data) + message = 'Request error.' + if exception: + message = exception.message + raise InvalidRequest(message, data) def log_action(kind, user_or_orgname, metadata={}, repo=None): diff --git a/endpoints/api/billing.py b/endpoints/api/billing.py index 2bab19e46..42f2bfe17 100644 --- a/endpoints/api/billing.py +++ b/endpoints/api/billing.py @@ -113,6 +113,9 @@ class UserCard(ApiResource): def get(self): """ Get the user's credit card. """ user = get_authenticated_user() + if not user: + raise Unauthorized() + return get_card(user) @nickname('setUserCard') @@ -120,6 +123,9 @@ class UserCard(ApiResource): def post(self): """ Update the user's credit card. """ user = get_authenticated_user() + if not user: + raise Unauthorized() + token = request.get_json()['token'] response = set_card(user, token) log_action('account_change_cc', user.username) @@ -300,6 +306,9 @@ class UserInvoiceList(ApiResource): def get(self): """ List the invoices for the current user. """ user = get_authenticated_user() + if not user: + raise Unauthorized() + if not user.stripe_id: raise NotFound() diff --git a/endpoints/api/build.py b/endpoints/api/build.py index 4e779918e..14a4d3d77 100644 --- a/endpoints/api/build.py +++ b/endpoints/api/build.py @@ -195,5 +195,5 @@ class FileDropResource(ApiResource): (url, file_id) = user_files.prepare_for_drop(mime_type) return { 'url': url, - 'file_id': file_id + 'file_id': str(file_id), } diff --git a/endpoints/api/logs.py b/endpoints/api/logs.py index aef308bfb..171cc3f48 100644 --- a/endpoints/api/logs.py +++ b/endpoints/api/logs.py @@ -95,8 +95,11 @@ class UserLogs(ApiResource): start_time = args['starttime'] end_time = args['endtime'] - return get_logs(get_authenticated_user().username, start_time, end_time, - performer_name=performer_name) + user = get_authenticated_user() + if not user: + raise Unauthorized() + + return get_logs(user.username, start_time, end_time, performer_name=performer_name) @resource('/v1/organization//logs') diff --git a/endpoints/api/organization.py b/endpoints/api/organization.py index fe886410f..f0683ab1f 100644 --- a/endpoints/api/organization.py +++ b/endpoints/api/organization.py @@ -66,6 +66,10 @@ class OrganizationList(ApiResource): @validate_json_request('NewOrg') def post(self): """ Create a new organization. """ + user = get_authenticated_user() + if not user: + raise Unauthorized() + org_data = request.get_json() existing = None @@ -85,7 +89,7 @@ class OrganizationList(ApiResource): raise request_error(message=msg) try: - model.create_organization(org_data['name'], org_data['email'], get_authenticated_user()) + model.create_organization(org_data['name'], org_data['email'], user) return 'Created', 201 except model.DataModelException as ex: raise request_error(exception=ex) diff --git a/endpoints/api/permission.py b/endpoints/api/permission.py index d225d1f5c..17b370f65 100644 --- a/endpoints/api/permission.py +++ b/endpoints/api/permission.py @@ -133,8 +133,12 @@ class RepositoryUserPermission(RepositoryParamResource): logger.debug('Setting permission to: %s for user %s' % (new_permission['role'], username)) - perm = model.set_user_repo_permission(username, namespace, repository, - new_permission['role']) + try: + perm = model.set_user_repo_permission(username, namespace, repository, + new_permission['role']) + except model.InvalidUsernameException as ex: + raise request_error(exception=ex) + perm_view = wrap_role_view_user(role_view(perm), perm.user) try: diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index edca0f3db..743996f3f 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -29,6 +29,7 @@ class RepositoryList(ApiResource): 'required': [ 'repository', 'visibility', + 'description', ], 'properties': { 'repository': { @@ -62,6 +63,9 @@ class RepositoryList(ApiResource): def post(self): """Create a new repository.""" owner = get_authenticated_user() + if not owner: + raise Unauthorized() + req = request.get_json() namespace_name = req['namespace'] if 'namespace' in req else owner.username diff --git a/endpoints/api/search.py b/endpoints/api/search.py index d409d39ff..2f3b837d0 100644 --- a/endpoints/api/search.py +++ b/endpoints/api/search.py @@ -33,7 +33,8 @@ class EntitySearch(ApiResource): except model.InvalidOrganizationException: # namespace name was a user - if get_authenticated_user().username == namespace_name: + user = get_authenticated_user() + if user and user.username == namespace_name: robot_namespace = namespace_name users = model.get_matching_users(prefix, robot_namespace, organization) diff --git a/endpoints/api/user.py b/endpoints/api/user.py index d9c31b570..9579ba857 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -7,7 +7,7 @@ from flask.ext.principal import identity_changed, AnonymousIdentity from app import app from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error, - log_action, internal_only, NotFound) + log_action, internal_only, NotFound, Unauthorized) from endpoints.api.subscribe import subscribe from endpoints.common import common_login from data import model @@ -122,6 +122,9 @@ class User(ApiResource): def put(self): """ Update a users details such as password or email. """ user = get_authenticated_user() + if not user: + raise Unauthorized() + user_data = request.get_json() try: @@ -179,6 +182,9 @@ class PrivateRepositories(ApiResource): """ Get the number of private repos this user has, and whether they are allowed to create more. """ user = get_authenticated_user() + if not user: + raise Unauthorized() + private_repos = model.get_private_repo_count(user.username) repos_allowed = 0 @@ -251,6 +257,9 @@ class ConvertToOrganization(ApiResource): def post(self): """ Convert the user to an organization. """ user = get_authenticated_user() + if not user: + raise Unauthorized() + convert_data = request.get_json() # Ensure that the new admin user is the not user being converted.