fixed redemption of signed access tokens

2024-08-15 03:31:16 +02:00 · 2024-08-15 03:31:16 +02:00 · 168a6a5af6
commit 168a6a5af6
parent 4b71893198
4 changed files with 92 additions and 14 deletions
--- a/src/c3nav/control/forms.py
+++ b/src/c3nav/control/forms.py
@ -40,12 +40,15 @@ class AccessPermissionForm(Form):

        # remember author if this form is saved
        self.author = author or request.user
-        author_permissions = request.user_permissions if request else author.permissions
+        author_permissions = request.user_permissions if request else UserPermissions.get_for_user(author)

        self.expire_date = expire_date

        # determine which access permissions the author can grant
-        self.author_access_permissions = AccessPermission.get_for_request_with_expire_date(request, can_grant=True)
+        if request:
+            self.author_access_permissions = AccessPermission.get_for_request_with_expire_date(request, can_grant=True)
+        else:
+            self.author_access_permissions = AccessPermission.get_for_user_with_expire_date(author, can_grant=True)

        access_restrictions = AccessRestriction.objects.filter(
            pk__in=self.author_access_permissions.keys()
@ -62,7 +65,11 @@ class AccessPermissionForm(Form):
        }

        # get access permission groups
-        groups = AccessRestrictionGroup.qs_for_request(request).prefetch_related(
+        if request:
+            groups = AccessRestrictionGroup.qs_for_request(request)
+        else:
+            groups = AccessRestrictionGroup.qs_for_user(author)
+        groups = groups.prefetch_related(
            Prefetch('accessrestrictions', AccessRestriction.objects.only('pk'))
        )
        self.group_contents: dict[int, set[int]] = {
@ -199,7 +206,7 @@ class AccessPermissionForm(Form):
        data = {
            'id': self.data['access_restrictions'],
            'time': int(time.time()),
-            'valid_until': int(self.cleaned_data['expires'].strftime('%s')),
+            'valid_until': int(self.cleaned_data['expires'].strftime('%s')) if self.cleaned_data['expires'] else None,
            'author': self.author.pk,
        }
        if key is not None:
@ -265,7 +272,7 @@ class AccessPermissionForm(Form):
            raise SignedPermissionDataError('Author does not exist.')

        api_secrets = author.api_secrets.filter(
-            scope_grant_permission=True
+            scope_grant_permissions=True
        ).valid_only().values_list('api_secret', flat=True)
        if not api_secrets:
            raise SignedPermissionDataError('Author has no API secret.')
--- a/src/c3nav/control/views/access.py
+++ b/src/c3nav/control/views/access.py
@ -1,3 +1,4 @@
+from contextlib import suppress
 from urllib.parse import urlencode

 from django.conf import settings
@ -22,8 +23,9 @@ def grant_access(request):  # todo: make class based view
            token = form.get_token()
            token.save()
            if settings.DEBUG:
-                signed_data = form.get_signed_data()
-                print('/?'+urlencode({'access': signed_data}))
+                with suppress(ValueError):
+                    signed_data = form.get_signed_data()
+                    print('/?'+urlencode({'access': signed_data}))
            return redirect(reverse('control.access.qr', kwargs={'token': token.token}))
    else:
        form = AccessPermissionForm(request=request)