Accueil Explorer Aide
Connexion
zorun
/
netbox
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

Only attempt to process session key if user is authenticated

Jeremy Stretch il y a 8 ans
Parent
007fe6a030
commit
0899a1052e
1 fichiers modifiés avec 22 ajouts et 21 suppressions
Vue séparée Afficher les stats Diff
  1. 22 21
      netbox/secrets/api/views.py

+ 22 - 21
netbox/secrets/api/views.py
Voir le fichier 

@@ -64,27 +64,28 @@ class SecretViewSet(WritableSerializerMixin, ModelViewSet):
 
 
         super(SecretViewSet, self).initial(request, *args, **kwargs)
 
 
-        # Read session key from HTTP cookie or header if it has been provided. The session key must be provided in order
 
-        # to encrypt/decrypt secrets.
 
-        if 'session_key' in request.COOKIES:
 
-            session_key = base64.b64decode(request.COOKIES['session_key'])
 
-        elif 'HTTP_X_SESSION_KEY' in request.META:
 
-            session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
 
-        else:
 
-            session_key = None
 
-
 
-        # We can't encrypt secret plaintext without a session key.
 
-        # assert False, self.action
 
-        if self.action in ['create', 'update'] and session_key is None:
 
-            raise ValidationError("A session key must be provided when creating or updating secrets.")
 
-
 
-        # Attempt to retrieve the master key for encryption/decryption if a session key has been provided.
 
-        if session_key is not None:
 
-            try:
 
-                sk = SessionKey.objects.get(userkey__user=request.user)
 
-                self.master_key = sk.get_master_key(session_key)
 
-            except (SessionKey.DoesNotExist, InvalidSessionKey):
 
-                raise ValidationError("Invalid session key.")
 
+        if request.user.is_authenticated():
 
+
 
+            # Read session key from HTTP cookie or header if it has been provided. The session key must be provided in
 
+            # order to encrypt/decrypt secrets.
 
+            if 'session_key' in request.COOKIES:
 
+                session_key = base64.b64decode(request.COOKIES['session_key'])
 
+            elif 'HTTP_X_SESSION_KEY' in request.META:
 
+                session_key = base64.b64decode(request.META['HTTP_X_SESSION_KEY'])
 
+            else:
 
+                session_key = None
 
+
 
+            # We can't encrypt secret plaintext without a session key.
 
+            if self.action in ['create', 'update'] and session_key is None:
 
+                raise ValidationError("A session key must be provided when creating or updating secrets.")
 
+
 
+            # Attempt to retrieve the master key for encryption/decryption if a session key has been provided.
 
+            if session_key is not None:
 
+                try:
 
+                    sk = SessionKey.objects.get(userkey__user=request.user)
 
+                    self.master_key = sk.get_master_key(session_key)
 
+                except (SessionKey.DoesNotExist, InvalidSessionKey):
 
+                    raise ValidationError("Invalid session key.")
 
 
     def retrieve(self, request, *args, **kwargs):