github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: session viewset api permission validation (#13750) 

* fix: session viewset api permission validation

* fix: some api permission validation

---------

Co-authored-by: Bai <baijiangjie@gmail.com>
pull/13753/head
fit2bot 2024-07-17 15:35:34 +08:00 committed by GitHub
parent 85825165fc
commit d6f6bb9c1b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apps/authentication/api/session.py
View File

@ -55,14 +55,14 @@ class UserSessionApi(generics.RetrieveDestroyAPIView):
def retrieve(self, request, *args, **kwargs): def retrieve(self, request, *args, **kwargs):
if isinstance(request.user, AnonymousUser): if isinstance(request.user, AnonymousUser):
return Response(status=status.HTTP_200_OK) return Response(status=status.HTTP_403_FORBIDDEN)
UserSessionManager(request).connect() UserSessionManager(request).connect()
return Response(status=status.HTTP_200_OK) return Response(status=status.HTTP_200_OK, data={'ok': True})
def destroy(self, request, *args, **kwargs): def destroy(self, request, *args, **kwargs):
if isinstance(request.user, AnonymousUser): if isinstance(request.user, AnonymousUser):
return Response(status=status.HTTP_200_OK) return Response(status=status.HTTP_403_FORBIDDEN)
UserSessionManager(request).disconnect() UserSessionManager(request).disconnect()
return Response(status=status.HTTP_204_NO_CONTENT) return Response(status=status.HTTP_200_OK, data={'ok': True})

2
apps/common/api/common.py
View File

@ -97,7 +97,7 @@ class ResourcesIDCacheApi(APIView):
class CountryListApi(APIView): class CountryListApi(APIView):
permission_classes = (AllowAny,) permission_classes = (IsValidUser,)
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
return Response(COUNTRY_CALLING_CODES) return Response(COUNTRY_CALLING_CODES)

8
apps/common/management/commands/check_api.py
View File

@ -34,6 +34,10 @@ def parse_to_url(url):
url = url.replace('(?P<format>[a-z0-9]+)', '') url = url.replace('(?P<format>[a-z0-9]+)', '')
url = url.replace('((?P<terminal>[/.]{36})/)?', uid + '/') url = url.replace('((?P<terminal>[/.]{36})/)?', uid + '/')
url = url.replace('(?P<pk>[/.]+)', uid) url = url.replace('(?P<pk>[/.]+)', uid)
url = url.replace('(?P<label>.*)', uid)
url = url.replace('(?P<res_type>.*)', '1')
url = url.replace('(?P<name>[\\w.@]+)', '')
url = url.replace('<str:name>', 'zh-hans')
url = url.replace('\.', '') url = url.replace('\.', '')
url = url.replace('//', '/') url = url.replace('//', '/')
url = url.strip('$') url = url.strip('$')
@ -70,7 +74,9 @@ known_unauth_urls = [
"/api/v1/authentication/login-confirm-ticket/status/", "/api/v1/authentication/login-confirm-ticket/status/",
"/api/v1/authentication/mfa/select/", "/api/v1/authentication/mfa/select/",
"/api/v1/authentication/mfa/send-code/", "/api/v1/authentication/mfa/send-code/",
"/api/v1/authentication/sso/login/" "/api/v1/authentication/sso/login/",
"/api/v1/authentication/user-session/",
"/api/v1/settings/i18n/zh-hans/"
] ]
known_error_urls = [ known_error_urls = [

9
apps/terminal/permissions.py
View File

@ -9,7 +9,14 @@ __all__ = ['IsSessionAssignee']
class IsSessionAssignee(permissions.IsAuthenticated): class IsSessionAssignee(permissions.IsAuthenticated):
def has_permission(self, request, view): def has_permission(self, request, view):
return True if not request.user:
return False
if request.user.is_anonymous:
return False
if view.action == 'retrieve':
# Why return True? please refer to the issue: #11678
return True
return False
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
try: try: