From c3b179f46e75e92de942a2d45d49c74cb887efc8 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Fri, 7 Jun 2024 11:48:29 -0500 Subject: Replace `…/group/roles` endpoint with `…/resource/…/roles` endpoint. The `…/group/roles` endpoint relied on the now deleted `group_roles` table that caused the implementation to be prone to privilege escalation attacks. This commit provides the `…/resource/…/roles` endpoint that provides the required functionality without the exposure. --- .../auth/authorisation/resources/groups/views.py | 29 ---------------------- 1 file changed, 29 deletions(-) (limited to 'gn_auth/auth/authorisation/resources/groups') diff --git a/gn_auth/auth/authorisation/resources/groups/views.py b/gn_auth/auth/authorisation/resources/groups/views.py index fb1a831..ef6bb0d 100644 --- a/gn_auth/auth/authorisation/resources/groups/views.py +++ b/gn_auth/auth/authorisation/resources/groups/views.py @@ -282,35 +282,6 @@ def link_data() -> Response: return jsonify(with_db_connection(__link__)) -@groups.route("/roles", methods=["GET"]) -@require_oauth("profile group") -def group_roles(): - """Return a list of all available group roles.""" - with require_oauth.acquire("profile group role") as the_token: - def __list_roles__(conn: db.DbConnection): - ## TODO: Check that user has appropriate privileges - with db.cursor(conn) as cursor: - group = user_group(conn, the_token.user).maybe(# type: ignore[misc] - DUMMY_GROUP, lambda grp: grp) - if group == DUMMY_GROUP: - return tuple() - cursor.execute( - "SELECT gr.group_role_id, r.* " - "FROM group_roles AS gr INNER JOIN roles AS r " - "ON gr.role_id=r.role_id " - "WHERE group_id=?", - (str(group.group_id),)) - return tuple( - GroupRole(uuid.UUID(row["group_role_id"]), - group, - Role(uuid.UUID(row["role_id"]), - row["role_name"], - bool(int(row["user_editable"])), - tuple())) - for row in cursor.fetchall()) - return jsonify(tuple( - asdict(role) for role in with_db_connection(__list_roles__))) - @groups.route("/privileges", methods=["GET"]) @require_oauth("profile group") def group_privileges(): -- cgit v1.2.3