feat: permission and security fixes (#5266)

2025-12-11 03:46:52 +08:00 · 2024-06-17 03:06:32 -05:00
parent a1d8c86ee3
commit cc4a4ec796
13 changed files with 186 additions and 104 deletions
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@@ -129,6 +129,10 @@ class AppApi(Resource):
    @marshal_with(app_detail_fields_with_site)
    def put(self, app_model):
        """Update app"""
+        # The role of the current user in the ta table must be admin, owner, or editor
+        if not current_user.is_editor:
+            raise Forbidden()
+        
        parser = reqparse.RequestParser()
        parser.add_argument('name', type=str, required=True, nullable=False, location='json')
        parser.add_argument('description', type=str, location='json')
@@ -147,6 +151,7 @@ class AppApi(Resource):
    @get_app_model
    def delete(self, app_model):
        """Delete app"""
+        # The role of the current user in the ta table must be admin, owner, or editor
        if not current_user.is_editor:
            raise Forbidden()

@@ -203,6 +208,10 @@ class AppNameApi(Resource):
    @get_app_model
    @marshal_with(app_detail_fields)
    def post(self, app_model):
+        # The role of the current user in the ta table must be admin, owner, or editor
+        if not current_user.is_editor:
+            raise Forbidden()
+        
        parser = reqparse.RequestParser()
        parser.add_argument('name', type=str, required=True, location='json')
        args = parser.parse_args()
@@ -220,6 +229,10 @@ class AppIconApi(Resource):
    @get_app_model
    @marshal_with(app_detail_fields)
    def post(self, app_model):
+        # The role of the current user in the ta table must be admin, owner, or editor
+        if not current_user.is_editor:
+            raise Forbidden()
+        
        parser = reqparse.RequestParser()
        parser.add_argument('icon', type=str, location='json')
        parser.add_argument('icon_background', type=str, location='json')
@@ -241,6 +254,7 @@ class AppSiteStatus(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        if not current_user.is_editor:
            raise Forbidden()
+        
        parser = reqparse.RequestParser()
        parser.add_argument('enable_site', type=bool, required=True, location='json')
        args = parser.parse_args()
@@ -261,6 +275,7 @@ class AppApiStatus(Resource):
        # The role of the current user in the ta table must be admin or owner
        if not current_user.is_admin_or_owner:
            raise Forbidden()
+        
        parser = reqparse.RequestParser()
        parser.add_argument('enable_api', type=bool, required=True, location='json')
        args = parser.parse_args()