Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-11-23 19:32:29 +01:00
Code Issues Releases Wiki Activity

Updated API session auth to consider public access setting

Browse Source 
For #3091
This commit is contained in:
Dan Brown 2021-11-30 13:55:56 +00:00
parent b4fa82e329
commit 3b3eb0f44f
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/Http/Middleware/ApiAuthenticate.php
View File

@ -35,7 +35,7 @@ class ApiAuthenticate
// Return if the user is already found to be signed in via session-based auth. // Return if the user is already found to be signed in via session-based auth.
// This is to make it easy to browser the API via browser after just logging into the system. // This is to make it easy to browser the API via browser after just logging into the system.
if (signedInUser() || session()->isStarted()) { if (signedInUser() || session()->isStarted()) {
if (!user()->can('access-api')) { if (!$this->sessionUserHasApiAccess()) {
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403); throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
} }
@ -49,6 +49,15 @@ class ApiAuthenticate
auth()->authenticate(); auth()->authenticate();
} }
/**
* Check if the active session user has API access
*/
protected function sessionUserHasApiAccess(): bool
{
$hasApiPermission = user()->can('access-api');
return $hasApiPermission && hasAppAccess();
}
/** /**
* Provide a standard API unauthorised response. * Provide a standard API unauthorised response.
*/ */

21
tests/Api/ApiAuthTest.php
View File

@ -3,6 +3,7 @@
namespace Tests\Api; namespace Tests\Api;
use BookStack\Auth\Permissions\RolePermission; use BookStack\Auth\Permissions\RolePermission;
use BookStack\Auth\Role;
use BookStack\Auth\User; use BookStack\Auth\User;
use Carbon\Carbon; use Carbon\Carbon;
use Tests\TestCase; use Tests\TestCase;
@ -91,6 +92,26 @@ class ApiAuthTest extends TestCase
$resp->assertJson($this->errorResponse('The owner of the used API token does not have permission to make API calls', 403)); $resp->assertJson($this->errorResponse('The owner of the used API token does not have permission to make API calls', 403));
} }
public function test_access_prevented_for_guest_users_with_api_permission_while_public_access_disabled()
{
$this->disableCookieEncryption();
$publicRole = Role::getSystemRole('public');
$accessApiPermission = RolePermission::getByName('access-api');
$publicRole->attachPermission($accessApiPermission);
$this->withCookie('bookstack_session', 'abc123');
// Test API access when not public
setting()->put('app-public', false);
$resp = $this->get($this->endpoint);
$resp->assertStatus(403);
// Test API access when public
setting()->put('app-public', true);
$resp = $this->get($this->endpoint);
$resp->assertStatus(200);
}
public function test_token_expiry_checked() public function test_token_expiry_checked()
{ {
$editor = $this->getEditor(); $editor = $this->getEditor();