vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Disable superuser functions around users when not using DB auth

Browse source
This commit is contained in:
Joseph Schorr 2015-10-16 15:14:49 -04:00
parent 2f42a4d94d
commit ad5beab3ef
2 changed files with 26 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

16
endpoints/api/superuser.py
View file

@ -236,6 +236,10 @@ class SuperUserList(ApiResource):
@require_scope(scopes.SUPERUSER)
def post(self):
""" Creates a new user. """
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] != 'Database':
abort(400)
user_information = request.get_json()
if SuperUserPermission().can():
username = user_information['username']
@ -274,6 +278,10 @@ class SuperUserSendRecoveryEmail(ApiResource):
@nickname('sendInstallUserRecoveryEmail')
@require_scope(scopes.SUPERUSER)
def post(self, username):
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] != 'Database':
abort(400)
if SuperUserPermission().can():
user = model.user.get_nonrobot_user(username)
if not user:
@ -370,9 +378,17 @@ class SuperUserManagement(ApiResource):
user_data = request.get_json()
if 'password' in user_data:
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] != 'Database':
abort(400)
model.user.change_password(user, user_data['password'])
if 'email' in user_data:
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] != 'Database':
abort(400)
model.user.update_email(user, user_data['email'], auto_verify=True)
if 'enabled' in user_data: