Mercurial > libervia-web

comparison libervia/server/restricted_bridge.py @ 1480:e739600267cd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server (restricted_bridge): don't allow bridge methods modifying anything with service profile
author Goffi <goffi@goffi.org>
date Fri, 22 Oct 2021 16:04:24 +0200
parents 97b8ce9ce54b
children 106bae41f5c8
comparison
equal deleted inserted replaced
1479:095e94ca6728 1480:e739600267cd
14 # GNU Affero General Public License for more details. 14 # GNU Affero General Public License for more details.
15 15
16 # You should have received a copy of the GNU Affero General Public License 16 # You should have received a copy of the GNU Affero General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>. 17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 18
19 from sat.tools.common import data_format
20 from sat.core import exceptions
19 from libervia.server.constants import Const as C 21 from libervia.server.constants import Const as C
20 from sat.tools.common import data_format
21 22
22 23
23 class RestrictedBridge: 24 class RestrictedBridge:
24 """Bridge with limited access, which can be used in browser 25 """Bridge with limited access, which can be used in browser
25 26
28 """ 29 """
29 30
30 def __init__(self, host): 31 def __init__(self, host):
31 self.host = host 32 self.host = host
32 self.security_limit = C.SECURITY_LIMIT 33 self.security_limit = C.SECURITY_LIMIT
34
35 def noServiceProfile(self, profile):
36 """Raise an error if service profile is used"""
37 if profile == C.SERVICE_PROFILE:
38 raise exceptions.PermissionError(
39 "This action is not allowed for service profile"
40 )
33 41
34 async def getContacts(self, profile): 42 async def getContacts(self, profile):
35 return await self.host.bridgeCall("getContacts", profile) 43 return await self.host.bridgeCall("getContacts", profile)
36 44
37 async def identityGet(self, entity, metadata_filter, use_cache, profile): 45 async def identityGet(self, entity, metadata_filter, use_cache, profile):
45 async def identitiesBaseGet(self, profile): 53 async def identitiesBaseGet(self, profile):
46 return await self.host.bridgeCall( 54 return await self.host.bridgeCall(
47 "identitiesBaseGet", profile) 55 "identitiesBaseGet", profile)
48 56
49 async def psNodeDelete(self, service_s, node, profile): 57 async def psNodeDelete(self, service_s, node, profile):
58 self.noServiceProfile(profile)
50 return await self.host.bridgeCall( 59 return await self.host.bridgeCall(
51 "psNodeDelete", service_s, node, profile) 60 "psNodeDelete", service_s, node, profile)
52 61
53 async def psNodeAffiliationsSet(self, service_s, node, affiliations, profile): 62 async def psNodeAffiliationsSet(self, service_s, node, affiliations, profile):
63 self.noServiceProfile(profile)
54 return await self.host.bridgeCall( 64 return await self.host.bridgeCall(
55 "psNodeAffiliationsSet", service_s, node, affiliations, profile) 65 "psNodeAffiliationsSet", service_s, node, affiliations, profile)
56 66
57 async def psItemRetract(self, service_s, node, item_id, notify, profile): 67 async def psItemRetract(self, service_s, node, item_id, notify, profile):
68 self.noServiceProfile(profile)
58 return await self.host.bridgeCall( 69 return await self.host.bridgeCall(
59 "psItemRetract", service_s, node, item_id, notify, profile) 70 "psItemRetract", service_s, node, item_id, notify, profile)
60 71
61 async def mbPreview(self, service_s, node, data, profile): 72 async def mbPreview(self, service_s, node, data, profile):
62 return await self.host.bridgeCall( 73 return await self.host.bridgeCall(
63 "mbPreview", service_s, node, data, profile) 74 "mbPreview", service_s, node, data, profile)
64 75
65 async def listSet(self, service_s, node, values, schema, item_id, extra, profile): 76 async def listSet(self, service_s, node, values, schema, item_id, extra, profile):
77 self.noServiceProfile(profile)
66 return await self.host.bridgeCall( 78 return await self.host.bridgeCall(
67 "listSet", service_s, node, values, "", item_id, "", profile) 79 "listSet", service_s, node, values, "", item_id, "", profile)
68 80
69 81
70 async def fileHTTPUploadGetSlot( 82 async def fileHTTPUploadGetSlot(
71 self, filename, size, content_type, upload_jid, profile): 83 self, filename, size, content_type, upload_jid, profile):
84 self.noServiceProfile(profile)
72 return await self.host.bridgeCall( 85 return await self.host.bridgeCall(
73 "fileHTTPUploadGetSlot", filename, size, content_type, 86 "fileHTTPUploadGetSlot", filename, size, content_type,
74 upload_jid, profile) 87 upload_jid, profile)
75 88
76 async def fileSharingDelete( 89 async def fileSharingDelete(
77 self, service_jid, path, namespace, profile): 90 self, service_jid, path, namespace, profile):
91 self.noServiceProfile(profile)
78 return await self.host.bridgeCall( 92 return await self.host.bridgeCall(
79 "fileSharingDelete", service_jid, path, namespace, profile) 93 "fileSharingDelete", service_jid, path, namespace, profile)
80 94
81 async def interestsRegisterFileSharing( 95 async def interestsRegisterFileSharing(
82 self, service, repos_type, namespace, path, name, extra_s, profile 96 self, service, repos_type, namespace, path, name, extra_s, profile
83 ): 97 ):
98 self.noServiceProfile(profile)
84 if extra_s: 99 if extra_s:
85 # we only allow "thumb_url" here 100 # we only allow "thumb_url" here
86 extra = data_format.deserialise(extra_s) 101 extra = data_format.deserialise(extra_s)
87 if "thumb_url" in extra: 102 if "thumb_url" in extra:
88 extra_s = data_format.serialise({"thumb_url": extra["thumb_url"]}) 103 extra_s = data_format.serialise({"thumb_url": extra["thumb_url"]})
95 ) 110 )
96 111
97 async def interestRetract( 112 async def interestRetract(
98 self, service_jid, item_id, profile 113 self, service_jid, item_id, profile
99 ): 114 ):
115 self.noServiceProfile(profile)
100 return await self.host.bridgeCall( 116 return await self.host.bridgeCall(
101 "interestRetract", service_jid, item_id, profile) 117 "interestRetract", service_jid, item_id, profile)
102 118
103 async def psInvite( 119 async def psInvite(
104 self, invitee_jid_s, service_s, node, item_id, name, extra_s, profile 120 self, invitee_jid_s, service_s, node, item_id, name, extra_s, profile
105 ): 121 ):
122 self.noServiceProfile(profile)
106 return await self.host.bridgeCall( 123 return await self.host.bridgeCall(
107 "psInvite", invitee_jid_s, service_s, node, item_id, name, extra_s, profile 124 "psInvite", invitee_jid_s, service_s, node, item_id, name, extra_s, profile
108 ) 125 )
109 126
110 async def FISInvite( 127 async def FISInvite(
111 self, invitee_jid_s, service_s, repos_type, namespace, path, name, extra_s, 128 self, invitee_jid_s, service_s, repos_type, namespace, path, name, extra_s,
112 profile 129 profile
113 ): 130 ):
131 self.noServiceProfile(profile)
114 if extra_s: 132 if extra_s:
115 # we only allow "thumb_url" here 133 # we only allow "thumb_url" here
116 extra = data_format.deserialise(extra_s) 134 extra = data_format.deserialise(extra_s)
117 if "thumb_url" in extra: 135 if "thumb_url" in extra:
118 extra_s = data_format.serialise({"thumb_url": extra["thumb_url"]}) 136 extra_s = data_format.serialise({"thumb_url": extra["thumb_url"]})
125 ) 143 )
126 144
127 async def FISAffiliationsSet( 145 async def FISAffiliationsSet(
128 self, service_s, namespace, path, affiliations, profile 146 self, service_s, namespace, path, affiliations, profile
129 ): 147 ):
148 self.noServiceProfile(profile)
130 return await self.host.bridgeCall( 149 return await self.host.bridgeCall(
131 "FISAffiliationsSet", service_s, namespace, path, affiliations, profile 150 "FISAffiliationsSet", service_s, namespace, path, affiliations, profile
132 ) 151 )
133 152
134 async def invitationSimpleCreate( 153 async def invitationSimpleCreate(
135 self, invitee_email, invitee_name, url_template, extra_s, profile 154 self, invitee_email, invitee_name, url_template, extra_s, profile
136 ): 155 ):
156 self.noServiceProfile(profile)
137 return await self.host.bridgeCall( 157 return await self.host.bridgeCall(
138 "invitationSimpleCreate", invitee_email, invitee_name, url_template, extra_s, 158 "invitationSimpleCreate", invitee_email, invitee_name, url_template, extra_s,
139 profile 159 profile
140 ) 160 )