aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth/authorisation/resources/groups
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-06-07 11:48:29 -0500
committerFrederick Muriuki Muriithi2024-06-07 11:53:26 -0500
commitc3b179f46e75e92de942a2d45d49c74cb887efc8 (patch)
tree03e2764e9fee497ca8c0b8673d3d4382aad87b60 /gn_auth/auth/authorisation/resources/groups
parent50e458b8951f036c487d7854ebe438e4dfbd6c4f (diff)
downloadgn-auth-c3b179f46e75e92de942a2d45d49c74cb887efc8.tar.gz
Replace `…/group/roles` endpoint with `…/resource/…/roles` endpoint.
The `…/group/roles` endpoint relied on the now deleted `group_roles` table that caused the implementation to be prone to privilege escalation attacks. This commit provides the `…/resource/…/roles` endpoint that provides the required functionality without the exposure.
Diffstat (limited to 'gn_auth/auth/authorisation/resources/groups')
-rw-r--r--gn_auth/auth/authorisation/resources/groups/views.py29
1 files changed, 0 insertions, 29 deletions
diff --git a/gn_auth/auth/authorisation/resources/groups/views.py b/gn_auth/auth/authorisation/resources/groups/views.py
index fb1a831..ef6bb0d 100644
--- a/gn_auth/auth/authorisation/resources/groups/views.py
+++ b/gn_auth/auth/authorisation/resources/groups/views.py
@@ -282,35 +282,6 @@ def link_data() -> Response:
return jsonify(with_db_connection(__link__))
-@groups.route("/roles", methods=["GET"])
-@require_oauth("profile group")
-def group_roles():
- """Return a list of all available group roles."""
- with require_oauth.acquire("profile group role") as the_token:
- def __list_roles__(conn: db.DbConnection):
- ## TODO: Check that user has appropriate privileges
- with db.cursor(conn) as cursor:
- group = user_group(conn, the_token.user).maybe(# type: ignore[misc]
- DUMMY_GROUP, lambda grp: grp)
- if group == DUMMY_GROUP:
- return tuple()
- cursor.execute(
- "SELECT gr.group_role_id, r.* "
- "FROM group_roles AS gr INNER JOIN roles AS r "
- "ON gr.role_id=r.role_id "
- "WHERE group_id=?",
- (str(group.group_id),))
- return tuple(
- GroupRole(uuid.UUID(row["group_role_id"]),
- group,
- Role(uuid.UUID(row["role_id"]),
- row["role_name"],
- bool(int(row["user_editable"])),
- tuple()))
- for row in cursor.fetchall())
- return jsonify(tuple(
- asdict(role) for role in with_db_connection(__list_roles__)))
-
@groups.route("/privileges", methods=["GET"])
@require_oauth("profile group")
def group_privileges():