TDvorak/swingmusic-extended
1
0
Fork 0
mirror of https://github.com/Dvorinka/swingmusic-extended.git synced 2026-06-03 20:13:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

protect settings write routes

Browse Source 
+ prevent updating guest user
+ add docs to whitelisted auth routes
+ fix: sort in get all route
+ fix: folders not having trailing slash in recentlyplayed
This commit is contained in:
mungai-njoroge
2024-05-01 23:44:38 +03:00
parent cfeff7ff51
commit 5d947f3ad9
6 changed files with 37 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/api/auth.py
+19 -11
View File
@@ -83,26 +83,33 @@ def update_profile(body: UpdateProfileBody):
"roles": body.roles,
}
# prevent updating guest
if current_user["username"] == "guest" or user["username"] == "guest":
return {"msg": "Cannot update guest user"}, 400
# if not id, update self
if not user["id"]:
user["id"] = current_user["id"]
print("current_user: ", current_user)
# only admins can update roles
if body.roles is not None:
# only admins can update roles
if "admin" not in current_user["roles"]:
return {"msg": "Only admins can update roles"}, 403
all_users = authdb.get_all_users()
if "admin" not in body.roles:
# check if we're removing the last admin
users = authdb.get_all_users()
admins = [user for user in users if "admin" in user.roles]
admins = [user for user in all_users if "admin" in user.roles]
if len(admins) == 1 and admins[0].id == user["id"]:
return {"msg": "Cannot remove the only admin"}, 400
# guest roles cannot be updated
_user = [u for u in all_users if u.id == user["id"]][0]
if "guest" in _user.roles:
return {"msg": "Cannot update guest user"}, 400
# finally, convert roles to json string
user["roles"] = json.dumps(body.roles)
if user["password"]:
@@ -227,8 +234,10 @@ def get_all_users(query: GetAllUsersQuery):
"users": [],
}
is_admin = current_user and "admin" in current_user["roles"]
# if user is admin, also return settings
if current_user and "admin" in current_user["roles"]:
if is_admin:
res = {
"settings": settings,
}
@@ -248,11 +257,10 @@ def get_all_users(query: GetAllUsersQuery):
users = authdb.get_all_users()
# remove guest user
print("settings: ", settings["enableGuest"])
if not settings["enableGuest"]:
users = [user for user in users if user.username != "guest"]
# if not settings["enableGuest"]:
# users = [user for user in users if user.username != "guest"]
if not settings["usersOnLogin"]:
if not is_admin or not settings["usersOnLogin"]:
users = [user for user in users if user.username == "guest"]
# reverse list to show latest users first
app/api/getall/__init__.py
+5 -8
View File
@@ -22,7 +22,7 @@ bp_tag = Tag(name="Get all", description="List all items")
api = APIBlueprint("getall", __name__, url_prefix="/getall", abp_tags=[bp_tag])
class GetAllItemsBody(GenericLimitSchema):
class GetAllItemsQuery(GenericLimitSchema):
start: int = Field(
description="The start index of the items to return",
example=0,
@@ -34,10 +34,10 @@ class GetAllItemsBody(GenericLimitSchema):
default="created_date",
)
reverse: int = Field(
reverse: str = Field(
description="Reverse the sort",
example=1,
default=1,
default="1",
)
@@ -50,7 +50,7 @@ class GetAllItemsPath(BaseModel):
@api.get("/<itemtype>")
def get_all_items(path: GetAllItemsPath, query: GetAllItemsBody):
def get_all_items(path: GetAllItemsPath, query: GetAllItemsQuery):
"""
Get all items
@@ -67,10 +67,7 @@ def get_all_items(path: GetAllItemsPath, query: GetAllItemsBody):
start = query.start
limit = query.limit
sort = query.sortby
reverse = query.reverse == 1
# if sort == "":
# sort = "created_date"
reverse = query.reverse == "1"
sort_is_count = sort == "count"
sort_is_duration = sort == "duration"
app/api/plugins/__init__.py
+3
View File
@@ -3,6 +3,7 @@ from flask import Blueprint, request
from flask_openapi3 import Tag
from flask_openapi3 import APIBlueprint
from pydantic import BaseModel, Field
from app.api.auth import admin_required
from app.db.sqlite.plugins import PluginsMethods
bp_tag = Tag(name="Plugins", description="Manage plugins")
@@ -30,6 +31,7 @@ class PluginActivateBody(PluginBody):
@api.post("/setactive")
@admin_required()
def activate_deactivate_plugin(body: PluginActivateBody):
"""
Activate/Deactivate plugin
@@ -49,6 +51,7 @@ class PluginSettingsBody(PluginBody):
@api.post("/settings")
@admin_required()
def update_plugin_settings(body: PluginSettingsBody):
"""
Update plugin settings
app/api/settings.py
+2
View File
@@ -97,6 +97,7 @@ class AddRootDirsBody(BaseModel):
@api.post("/add-root-dirs")
@admin_required()
def add_root_dirs(body: AddRootDirsBody):
"""
Add custom root directories to the database.
@@ -216,6 +217,7 @@ class SetSettingBody(BaseModel):
@api.post("/set")
@admin_required()
def set_setting(body: SetSettingBody):
"""
Set a setting.
app/lib/home/recentlyplayed.py
+5 -1
View File
@@ -82,9 +82,13 @@ def get_recently_played(limit=7):
if entry.type == "folder":
folder = entry.type_src
if not folder:
continue
if not folder.endswith("/"):
folder += "/"
is_home_dir = entry.type_src == "$home"
if is_home_dir:
@@ -98,7 +102,7 @@ def get_recently_played(limit=7):
{
"type": "folder",
"item": {
"path": entry.type_src,
"path": folder,
"count": count,
"help_text": "folder",
"time": timestamp_to_time_passed(entry.timestamp),
manage.py
+3 -3
View File
@@ -44,7 +44,7 @@ app = create_api()
app.static_folder = get_home_res_path("client")
# INFO: Routes that don't need authentication
blacklist_routes = {"/auth/login", "/auth/users", "/auth/logout"}
whitelisted_routes = {"/auth/login", "/auth/users", "/auth/logout", "/docs"}
blacklist_extensions = {".webp"}.union(getClientFilesExtensions())
@@ -59,9 +59,9 @@ def verify_auth():
return
# if request path starts with any of the blacklisted routes, don't verify jwt
if any(request.path.startswith(route) for route in blacklist_routes):
if any(request.path.startswith(route) for route in whitelisted_routes):
# print(
# "Found blacklisted route: ", request.path, "... Skipping jwt verification"
# "Found whitelisted route: ", request.path, "... Skipping jwt verification"
# )
return