From 5de179bf972167fcad416c2335f063baa2f37f97 Mon Sep 17 00:00:00 2001 From: Bben <47628473+Bbillyben@users.noreply.github.com> Date: Mon, 25 Apr 2022 18:13:34 +0200 Subject: [PATCH 1/3] first commit add constant --- src/oncall/api/v0/event.py | 11 +++++++++-- src/oncall/api/v0/events.py | 9 +++++---- src/oncall/constants.py | 3 +++ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/oncall/api/v0/event.py b/src/oncall/api/v0/event.py index 45945c6c..e36741e2 100644 --- a/src/oncall/api/v0/event.py +++ b/src/oncall/api/v0/event.py @@ -5,12 +5,12 @@ from ujson import dumps as json_dumps from falcon import HTTPNotFound, HTTPBadRequest, HTTPUnauthorized -from ...auth import login_required, check_calendar_auth, check_team_auth +from ...auth import login_required, check_calendar_auth, check_team_auth, check_user_auth_event from ... import db, constants from ...utils import ( load_json_body, user_in_team_by_name, create_notification, create_audit ) -from ...constants import EVENT_DELETED, EVENT_EDITED +from ...constants import EVENT_DELETED, EVENT_EDITED, AUTH_USER_CAL_MOD from .events import columns, all_columns @@ -99,6 +99,8 @@ def on_put(req, resp, event_id): """ data = load_json_body(req) + if not AUTH_USER_CAL_MOD: + check_user_auth_event(event_id, req) if 'end' in data and 'start' in data and data['start'] >= data['end']: raise HTTPBadRequest('Invalid event update', 'Event must start before it ends') @@ -190,6 +192,11 @@ def on_delete(req, resp, event_id): :statuscode 403: Delete not allowed; logged in user is not a team member :statuscode 404: Event not found """ + + if not AUTH_USER_CAL_MOD: + check_user_auth_event(event_id, req) + + connection = db.connect() cursor = connection.cursor(db.DictCursor) diff --git a/src/oncall/api/v0/events.py b/src/oncall/api/v0/events.py index 8f925d12..05caf6a2 100644 --- a/src/oncall/api/v0/events.py +++ b/src/oncall/api/v0/events.py @@ -4,12 +4,12 @@ import time from falcon import HTTP_201, HTTPError, HTTPBadRequest from ujson import dumps as json_dumps -from ...auth import login_required, check_calendar_auth +from ...auth import login_required, check_calendar_auth, check_team_auth from ... import db, constants from ...utils import ( load_json_body, user_in_team_by_name, create_notification, create_audit ) -from ...constants import EVENT_CREATED +from ...constants import EVENT_CREATED, AUTH_USER_CAL_MOD columns = { 'id': '`event`.`id` as `id`', @@ -204,7 +204,6 @@ def on_get(req, resp): connection.close() resp.body = json_dumps(data) - @login_required def on_post(req, resp): """ @@ -255,7 +254,9 @@ def on_post(req, resp): if data['start'] >= data['end']: raise HTTPBadRequest('Invalid event', 'Event must start before it ends') check_calendar_auth(data['team'], req) - + global AUTH_USER_CAL_MOD + if not AUTH_USER_CAL_MOD: + check_team_auth(data['team'], req) columns = ['`start`', '`end`', '`user_id`', '`team_id`', '`role_id`'] values = ['%(start)s', '%(end)s', '(SELECT `id` FROM `user` WHERE `name`=%(user)s)', diff --git a/src/oncall/constants.py b/src/oncall/constants.py index 91bbb542..a6c4b043 100644 --- a/src/oncall/constants.py +++ b/src/oncall/constants.py @@ -39,6 +39,7 @@ SUPPORTED_TIMEZONES = None +AUTH_USER_CAL_MOD = None def init(config): global DEFAULT_ROLES @@ -46,8 +47,10 @@ def init(config): global DEFAULT_TIMES global SUPPORTED_TIMEZONES global GRACE_PERIOD + global AUTH_USER_CAL_MOD DEFAULT_ROLES = config['notifications']['default_roles'] DEFAULT_MODES = config['notifications']['default_modes'] DEFAULT_TIMES = config['notifications']['default_times'] SUPPORTED_TIMEZONES = config['supported_timezones'] GRACE_PERIOD = config.get('grace_period', 86400) + AUTH_USER_CAL_MOD = config.get('auth_user_cal_mod') From bdd154b20dcd877519266e2bbdcb5a5e323aecf2 Mon Sep 17 00:00:00 2001 From: Bben <47628473+Bbillyben@users.noreply.github.com> Date: Mon, 25 Apr 2022 18:16:07 +0200 Subject: [PATCH 2/3] Update __init__.py --- src/oncall/auth/__init__.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/oncall/auth/__init__.py b/src/oncall/auth/__init__.py index 192b8136..95b7f84c 100644 --- a/src/oncall/auth/__init__.py +++ b/src/oncall/auth/__init__.py @@ -34,6 +34,27 @@ def is_god(challenger): def check_ical_key_admin(challenger): return is_god(challenger) +def check_user_auth_event(eventId, req): + """ + Check if the event Id is on a team where user is admin + """ + if 'app' in req.context: + return + challenger = req.context['user'] + connection = db.connect() + cursor = connection.cursor() + get_allowed_query = '''SELECT DISTINCT(event.id ) + from event JOIN team on team.id = event.team_id + JOIN team_admin on team.id = team_admin.team_id + JOIN user on team_admin.user_id = user.id + WHERE event.id = %s and user.name = %s''' + cursor.execute(get_allowed_query, (eventId, challenger)) + user_in_query = cursor.rowcount + cursor.close() + connection.close() + if user_in_query != 0 or is_god(challenger): + return + raise HTTPForbidden('Unauthorized', 'Action not allowed for "%s"' % challenger) def check_user_auth(user, req): """ From 393d855fed87ac617f563510bb0354c3870ff1e3 Mon Sep 17 00:00:00 2001 From: Bben <47628473+Bbillyben@users.noreply.github.com> Date: Mon, 25 Apr 2022 18:17:03 +0200 Subject: [PATCH 3/3] Update config.yaml --- configs/config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configs/config.yaml b/configs/config.yaml index 9abfd740..b17d1c3d 100644 --- a/configs/config.yaml +++ b/configs/config.yaml @@ -194,6 +194,9 @@ slack_instance: foobar # APIs without authentication require_auth: False +# Setting to determine whether the autheticated user can modify calendar entries. +auth_user_cal_mod: False + ########################### ### Oncall bonus management ###########################