Bug #7634: authorize method doesn't check all flags - Warden - Homeproj: Redmine for CESNET

Actions

Copy link

Bug #7634

open

authorize method doesn't check all flags

Added by Rajmund Hruška over 1 year ago. Updated over 1 year ago.

Status:

New

Priority:

Normal

Assignee:

Pavel Kácha

Category:

Server

Target version:

Start date:

03/06/2023

Due date:

% Done:

Estimated time:

Description

So, there is the following method called authorize:

def authorize(self, env, client, path, method):
    if method.debug:
        if not client.debug:
            self.log.info("authorize: failed, client does not have debug enabled")
            return None
        return client

    if method.read:
        if not client.read:
            self.log.info("authorize: failed, client does not have read enabled")
            return None
        return client

    if method.write:
        if not (client.write or client.test):
            self.log.info("authorize: failed, client is not allowed to write or test")
            return None

    return client

And then there are a bunch of exposed methods, the following one called getDebug is interesting:

@expose(read=True, debug=True)
@json_wrapper
def getDebug(self):
    return {
        "environment": self.req.env,
    ...
    }

If in authorize, read was checked before debug, it wouldn't matter what is the value of debug in getDebug, because the method would only check read and then return.

So the question is, is that a bug or a feature? I want to add another flag - managed - but I would need to add it at the beginning of the authorize method. I think it shouldn't depend on the order of checks (if statements).

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Warden

Custom queries

Bug #7634

authorize method doesn't check all flags

Updated by Pavel Kácha over 1 year ago

Updated by Rajmund Hruška over 1 year ago

Updated by Pavel Kácha over 1 year ago