Skip to content

Commit

Permalink
api: remove as_su
Browse files Browse the repository at this point in the history 
as_su has a vulnerability.
It was originally added for dropping su priviledges, but is now
unecessary due to django-impersonate.
  • Loading branch information
@nyiyui
nyiyui committed Jan 8, 2024
1 parent 1afc5a2 commit c058cb5
Show file tree
Hide file tree
Showing 3 changed files with 176 additions and 13 deletions.
5 changes: 0 additions & 5 deletions core/api/utils/last_modified.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,10 @@ class GenericAPIViewWithDebugInfo(generics.GenericAPIView):
def get_admin_url(self):
return None

def get_as_su(self):
return False

def get(self, *args, **kwargs):
resp = super().get(*args, **kwargs)
if admin_url := self.get_admin_url():
resp["X-Admin-URL"] = admin_url
if self.get_as_su():
resp["X-As-SU"] = "true"

return resp

Expand Down
9 changes: 1 addition & 8 deletions core/api/utils/polymorphism.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,20 +59,13 @@ def get_providers_by_operation(


class ObjectAPIView(generics.GenericAPIView):
def get_as_su(self):
return self.as_su

def initial(self, *args, **kwargs):
super().initial(*args, **kwargs)
self.request.mutate = self.mutate
self.request.kind = self.kind
self.request.detail = self.detail
self.provider = provider = get_provider(kwargs.pop("type"))(self.request)
if as_su := (self.request.GET.get("as-su") == "true"):
self.permission_classes = [permissions.AllowAny]
else:
self.permission_classes = provider.permission_classes
self.as_su = as_su # if the user is a SU
self.permission_classes = provider.permission_classes
self.serializer_class = provider.serializer_class
self.additional_lookup_fields = self._compile_lookup_fields()
self.listing_filters = getattr(
Expand Down
175 changes: 175 additions & 0 deletions flake.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit c058cb5

Please sign in to comment.