fix: session viewset api permission validation (#13750)

* fix: session viewset api permission validation * fix: some api permission validation --------- Co-authored-by: Bai <baijiangjie@gmail.com>
2024-07-17 15:35:34 +08:00 · 2024-07-17 15:35:34 +08:00 · d6f6bb9c1b
parent 85825165fc
commit d6f6bb9c1b
4 changed files with 20 additions and 7 deletions
--- a/apps/authentication/api/session.py
+++ b/apps/authentication/api/session.py
@ -55,14 +55,14 @@ class UserSessionApi(generics.RetrieveDestroyAPIView):

    def retrieve(self, request, *args, **kwargs):
        if isinstance(request.user, AnonymousUser):
-            return Response(status=status.HTTP_200_OK)
+            return Response(status=status.HTTP_403_FORBIDDEN)

        UserSessionManager(request).connect()
-        return Response(status=status.HTTP_200_OK)
+        return Response(status=status.HTTP_200_OK, data={'ok': True})

    def destroy(self, request, *args, **kwargs):
        if isinstance(request.user, AnonymousUser):
-            return Response(status=status.HTTP_200_OK)
+            return Response(status=status.HTTP_403_FORBIDDEN)

        UserSessionManager(request).disconnect()
-        return Response(status=status.HTTP_204_NO_CONTENT)
+        return Response(status=status.HTTP_200_OK, data={'ok': True})
--- a/apps/common/api/common.py
+++ b/apps/common/api/common.py
@ -97,7 +97,7 @@ class ResourcesIDCacheApi(APIView):


 class CountryListApi(APIView):
-    permission_classes = (AllowAny,)
+    permission_classes = (IsValidUser,)

    def get(self, request, *args, **kwargs):
        return Response(COUNTRY_CALLING_CODES)
--- a/apps/common/management/commands/check_api.py
+++ b/apps/common/management/commands/check_api.py
@ -34,6 +34,10 @@ def parse_to_url(url):
    url = url.replace('(?P<format>[a-z0-9]+)', '')
    url = url.replace('((?P<terminal>[/.]{36})/)?', uid + '/')
    url = url.replace('(?P<pk>[/.]+)', uid)
+    url = url.replace('(?P<label>.*)', uid)
+    url = url.replace('(?P<res_type>.*)', '1')
+    url = url.replace('(?P<name>[\\w.@]+)', '')
+    url = url.replace('<str:name>', 'zh-hans')
    url = url.replace('\.', '')
    url = url.replace('//', '/')
    url = url.strip('$')
@ -70,7 +74,9 @@ known_unauth_urls = [
    "/api/v1/authentication/login-confirm-ticket/status/",
    "/api/v1/authentication/mfa/select/",
    "/api/v1/authentication/mfa/send-code/",
-    "/api/v1/authentication/sso/login/"
+    "/api/v1/authentication/sso/login/",
+    "/api/v1/authentication/user-session/",
+    "/api/v1/settings/i18n/zh-hans/"
 ]

 known_error_urls = [
--- a/apps/terminal/permissions.py
+++ b/apps/terminal/permissions.py
@ -9,7 +9,14 @@ __all__ = ['IsSessionAssignee']

 class IsSessionAssignee(permissions.IsAuthenticated):
    def has_permission(self, request, view):
-        return True
+        if not request.user:
+            return False
+        if request.user.is_anonymous:
+            return False
+        if view.action == 'retrieve':
+            # Why return True? please refer to the issue: #11678
+            return True
+        return False

    def has_object_permission(self, request, view, obj):
        try: