Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: avoid calling undefined method for anonymous users #15440

Merged
merged 1 commit into from
Aug 22, 2024
Merged

fix: avoid calling undefined method for anonymous users #15440

merged 1 commit into from
Aug 22, 2024

Conversation

pb82
Copy link
Contributor

@pb82 pb82 commented Aug 13, 2024

SUMMARY

The method can_access_with_errors is not defined on AnonymousUser and this raises an exception when accessing the job_templates or workflow_job_templates APIs.

ISSUE TYPE
  • Bug, Docs Fix or other nominal change
COMPONENT NAME
  • API
AWX VERSION
devel
ADDITIONAL INFORMATION

kdelee
kdelee reviewed Aug 13, 2024
View reviewed changes
awx/api/views/__init__.py
else:
can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
if not can_access:
self.permission_denied(request, message=messages)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error occurs for me on GET, maybe on POST as well but my recreator is GET

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kdelee The request from the browser is a GET, but when I debug it, there is always a second POST request and that's the one that actually causes the error. I'm not quite sure where that's coming from, maybe @chrismeyersfsu knows?

@chrismeyersfsu
Copy link
Member

This might be a bit cleaner. I think this is the parent check_permissions call

awx/awx/api/permissions.py

Line 101 in 43a3d4a

if not request.user or request.user.is_anonymous:
and it has the logic to deny an anoymous user.

Seems like it would be safe to call the parent check_permissions() first.

I tried the below code manually and it seems to work (by work I mean deny anonymous user and allow logged in user to create a job template)

class JobTemplateList(ListCreateAPIView):
    model = models.JobTemplate
    serializer_class = serializers.JobTemplateSerializer
    always_allow_superuser = False

    def check_permissions(self, request):
        super(JobTemplateList, self).check_permissions(request)

        if request.method == 'POST':
            can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
            if not can_access:
                self.permission_denied(request, message=messages)

@pb82
Copy link
Contributor Author

pb82 commented Aug 14, 2024

@chrismeyersfsu you're correct, just calling super.check_permissions first also solves the problem. I've updated the PR.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@pb82 pb82 merged commit 3f8274d into ansible:devel Aug 22, 2024
22 checks passed
@pb82 pb82 deleted the AAP-28991 branch August 22, 2024 16:01
djyasin pushed a commit to djyasin/awx that referenced this pull request Nov 11, 2024
@pb82 @djyasin
fix: avoid calling undefined method for anonymous users (ansible#15440)
50c8da3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kdelee kdelee kdelee left review comments

@djyasin djyasin djyasin approved these changes

Assignees
No one assigned
Labels
component:api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pb82 @chrismeyersfsu @kdelee @djyasin @thedoubl3j