Change API calls that expect non-robots to explicitly filter
Before this change, we'd filter in the UI but calls to the API could allow robots accounts where we only expect real users
This commit is contained in:
Joseph Schorr
parent
e5e2384998
commit
fdd43e2490
6 changed files with 21 additions and 14 deletions
|
|
@ -642,6 +642,13 @@ def find_user_by_email(email):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
|
||||||
|
def get_nonrobot_user(username):
|
||||||
|
try:
|
||||||
|
return User.get(User.username == username, User.organization == False, User.robot == False)
|
||||||
|
except User.DoesNotExist:
|
||||||
|
return None
|
||||||
|
|
||||||
|
|
||||||
def get_user(username):
|
def get_user(username):
|
||||||
try:
|
try:
|
||||||
return User.get(User.username == username, User.organization == False)
|
return User.get(User.username == username, User.organization == False)
|
||||||
|
|
|
||||||
|
|
@ -238,8 +238,8 @@ class SuperUserSendRecoveryEmail(ApiResource):
|
||||||
@nickname('sendInstallUserRecoveryEmail')
|
@nickname('sendInstallUserRecoveryEmail')
|
||||||
def post(self, username):
|
def post(self, username):
|
||||||
if SuperUserPermission().can():
|
if SuperUserPermission().can():
|
||||||
user = model.get_user(username)
|
user = model.get_nonrobot_user(username)
|
||||||
if not user or user.organization or user.robot:
|
if not user:
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
if superusers.is_superuser(username):
|
if superusers.is_superuser(username):
|
||||||
|
|
@ -288,8 +288,8 @@ class SuperUserManagement(ApiResource):
|
||||||
def get(self, username):
|
def get(self, username):
|
||||||
""" Returns information about the specified user. """
|
""" Returns information about the specified user. """
|
||||||
if SuperUserPermission().can():
|
if SuperUserPermission().can():
|
||||||
user = model.get_user(username)
|
user = model.get_nonrobot_user(username)
|
||||||
if not user or user.organization or user.robot:
|
if not user:
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
return user_view(user)
|
return user_view(user)
|
||||||
|
|
@ -302,8 +302,8 @@ class SuperUserManagement(ApiResource):
|
||||||
def delete(self, username):
|
def delete(self, username):
|
||||||
""" Deletes the specified user. """
|
""" Deletes the specified user. """
|
||||||
if SuperUserPermission().can():
|
if SuperUserPermission().can():
|
||||||
user = model.get_user(username)
|
user = model.get_nonrobot_user(username)
|
||||||
if not user or user.organization or user.robot:
|
if not user:
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
if superusers.is_superuser(username):
|
if superusers.is_superuser(username):
|
||||||
|
|
@ -321,8 +321,8 @@ class SuperUserManagement(ApiResource):
|
||||||
def put(self, username):
|
def put(self, username):
|
||||||
""" Updates information about the specified user. """
|
""" Updates information about the specified user. """
|
||||||
if SuperUserPermission().can():
|
if SuperUserPermission().can():
|
||||||
user = model.get_user(username)
|
user = model.get_nonrobot_user(username)
|
||||||
if not user or user.organization or user.robot:
|
if not user:
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
if superusers.is_superuser(username):
|
if superusers.is_superuser(username):
|
||||||
|
|
|
||||||
|
|
@ -281,7 +281,7 @@ class User(ApiResource):
|
||||||
user_data = request.get_json()
|
user_data = request.get_json()
|
||||||
invite_code = user_data.get('invite_code', '')
|
invite_code = user_data.get('invite_code', '')
|
||||||
|
|
||||||
existing_user = model.get_user(user_data['username'])
|
existing_user = model.get_nonrobot_user(user_data['username'])
|
||||||
if existing_user:
|
if existing_user:
|
||||||
raise request_error(message='The username already exists')
|
raise request_error(message='The username already exists')
|
||||||
|
|
||||||
|
|
@ -821,8 +821,8 @@ class Users(ApiResource):
|
||||||
@nickname('getUserInformation')
|
@nickname('getUserInformation')
|
||||||
def get(self, username):
|
def get(self, username):
|
||||||
""" Get user information for the specified user. """
|
""" Get user information for the specified user. """
|
||||||
user = model.get_user(username)
|
user = model.get_nonrobot_user(username)
|
||||||
if user is None or user.organization or user.robot:
|
if user is None:
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
return user_view(user)
|
return user_view(user)
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,7 @@ class QuayNotificationMethod(NotificationMethod):
|
||||||
target_info = config_data['target']
|
target_info = config_data['target']
|
||||||
|
|
||||||
if target_info['kind'] == 'user':
|
if target_info['kind'] == 'user':
|
||||||
target = model.get_user(target_info['name'])
|
target = model.get_nonrobot_user(target_info['name'])
|
||||||
if not target:
|
if not target:
|
||||||
# Just to be safe.
|
# Just to be safe.
|
||||||
return (True, 'Unknown user %s' % target_info['name'], [])
|
return (True, 'Unknown user %s' % target_info['name'], [])
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ from flask import Flask, current_app
|
||||||
from flask_mail import Mail
|
from flask_mail import Mail
|
||||||
|
|
||||||
def sendConfirmation(username):
|
def sendConfirmation(username):
|
||||||
user = model.get_user(username)
|
user = model.get_nonrobot_user(username)
|
||||||
if not user:
|
if not user:
|
||||||
print 'No user found'
|
print 'No user found'
|
||||||
return
|
return
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@ from flask import Flask, current_app
|
||||||
from flask_mail import Mail
|
from flask_mail import Mail
|
||||||
|
|
||||||
def sendReset(username):
|
def sendReset(username):
|
||||||
user = model.get_user(username)
|
user = model.get_nonrobot_user(username)
|
||||||
if not user:
|
if not user:
|
||||||
print 'No user found'
|
print 'No user found'
|
||||||
return
|
return
|
||||||
|
|
|
||||||
Reference in a new issue