From 98fb3fb288a32aae262b19c383002bd1c2b33b60 Mon Sep 17 00:00:00 2001 From: Aidaho Date: Mon, 21 Oct 2024 09:35:25 +0300 Subject: [PATCH] v8.1.0.1: Refactor SSH permission checks and streamline database connection Implement additional checks for shared SSH credential editing and deletion. Refactored database connection logic to use keyword arguments for improved readability and maintainability. --- app/modules/db/db_model.py | 12 +++++----- app/templates/ajax/new_ssh.html | 4 ++++ app/views/server/cred_views.py | 40 ++++++++++++++++++++++++++++----- 3 files changed, 46 insertions(+), 10 deletions(-) diff --git a/app/modules/db/db_model.py b/app/modules/db/db_model.py index 7a673d36..07ebfa2b 100644 --- a/app/modules/db/db_model.py +++ b/app/modules/db/db_model.py @@ -21,12 +21,14 @@ class ReconnectMySQLDatabase(ReconnectMixin, MySQLDatabase): def connect(get_migrator=None): if mysql_enable == '1': - mysql_user = get_config.get_config_var('mysql', 'mysql_user') - mysql_password = get_config.get_config_var('mysql', 'mysql_password') mysql_db = get_config.get_config_var('mysql', 'mysql_db') - mysql_host = get_config.get_config_var('mysql', 'mysql_host') - mysql_port = get_config.get_config_var('mysql', 'mysql_port') - conn = ReconnectMySQLDatabase(mysql_db, user=mysql_user, password=mysql_password, host=mysql_host, port=int(mysql_port)) + kwargs = { + "user": get_config.get_config_var('mysql', 'mysql_user'), + "password": get_config.get_config_var('mysql', 'mysql_password'), + "host": get_config.get_config_var('mysql', 'mysql_host'), + "port": int(get_config.get_config_var('mysql', 'mysql_port')) + } + conn = ReconnectMySQLDatabase(mysql_db, **kwargs) migrator = MySQLMigrator(conn) else: db = "/var/lib/roxy-wi/roxy-wi.db" diff --git a/app/templates/ajax/new_ssh.html b/app/templates/ajax/new_ssh.html index 1e3f5ad1..eb10c844 100644 --- a/app/templates/ajax/new_ssh.html +++ b/app/templates/ajax/new_ssh.html @@ -45,7 +45,11 @@
+ {% if ssh.shared and g.user_params['group_id']|string() != ssh.group_id|string() %} + + {% else %} + {% endif %} {% if ssh.shared and g.user_params['group_id']|string() != ssh.group_id|string() %} diff --git a/app/views/server/cred_views.py b/app/views/server/cred_views.py index 7dea1247..3571abde 100644 --- a/app/views/server/cred_views.py +++ b/app/views/server/cred_views.py @@ -172,21 +172,25 @@ class CredView(MethodView): description: Credential update successful """ group_id = SupportClass.return_group_id(body) - ssh = self._get_ssh(cred_id) - if ssh.shared and g.user_params['role'] != 1 and int(group_id) != int(ssh.group_id): - return roxywi_common.handler_exceptions_for_json_data(RoxywiPermissionError(), 'You cannot change shared parameters') + try: self._check_is_correct_group(cred_id) except Exception as e: return roxywi_common.handler_exceptions_for_json_data(e, '') + try: + self._is_editing_shared_ssh(cred_id, g.user_params['group_id']) + except Exception as e: + return roxywi_common.handler_exceptions_for_json_data(e, '') + try: ssh_mod.update_ssh_key(body, group_id, cred_id) return BaseResponse().model_dump(mode='json'), 201 except Exception as e: return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot update SSH key') - def delete(self, cred_id: int): + @validate(query=GroupQuery) + def delete(self, cred_id: int, query: GroupQuery): """ Delete a credential entry --- @@ -198,15 +202,30 @@ class CredView(MethodView): description: 'ID of the credential to retrieve' required: true type: 'integer' + - in: 'query' + name: 'group_id' + description: 'ID of the group to list users. For superAdmin only' + required: false + type: 'integer' responses: 204: description: Credential deletion successful """ + group_id = SupportClass.return_group_id(query) + try: + self._is_editing_shared_ssh(cred_id, group_id) + except Exception as e: + return roxywi_common.handler_exceptions_for_json_data(e, '') try: self._check_is_correct_group(cred_id) except Exception as e: return roxywi_common.handler_exceptions_for_json_data(e, '') + try: + self._is_editing_shared_ssh(cred_id, g.user_params['group_id']) + except Exception as e: + return roxywi_common.handler_exceptions_for_json_data(e, '') + try: ssh_mod.delete_ssh_key(cred_id) return BaseResponse().model_dump(mode='json'), 204 @@ -247,7 +266,13 @@ class CredView(MethodView): try: self._check_is_correct_group(cred_id) except Exception as e: - return roxywi_common.handler_exceptions_for_json_data(e, ''), 404 + return roxywi_common.handler_exceptions_for_json_data(e, '') + + try: + self._is_editing_shared_ssh(cred_id, g.user_params['group_id']) + except Exception as e: + return roxywi_common.handler_exceptions_for_json_data(e, '') + try: body.private_key = base64.b64decode(body.private_key).decode("ascii") except Exception: @@ -272,6 +297,11 @@ class CredView(MethodView): except RoxywiResourceNotFound: raise RoxywiResourceNotFound + def _is_editing_shared_ssh(self, cred_id: int, group_id: int): + ssh = self._get_ssh(cred_id) + if ssh.shared and g.user_params['role'] != 1 and int(group_id) != int(ssh.group_id): + raise RoxywiPermissionError('You cannot change shared parameters') + class CredsView(MethodView): methods = ['GET']