lgcosta/paperless-ngx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: disallow requests to api if setting disabled

Browse Source
This commit is contained in:
shamoon 2024-05-15 07:06:12 -07:00
parent 97eec44647
commit 273dc24af0
2 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/paperless/auth.py
View File

@ -52,6 +52,17 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):
header = settings.HTTP_REMOTE_USER_HEADER_NAME
def process_request(self, request: HttpRequest) -> None:
# If remote user auth is enabled only for the frontend, not the API,
# then we need dont want to authenticate the user for API requests.
if (
"/api/" in request.path
and "paperless.auth.PaperlessRemoteUserAuthentication"
not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
):
return
return super().process_request(request)
class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
"""

40
src/paperless/tests/test_remote_user.py
View File

@ -88,6 +88,46 @@ class TestRemoteUser(DirectoriesMixin, APITestCase):
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_remote_user_api_disabled(self):
"""
GIVEN:
- Configured user
- Remote user auth is disabled for the API
WHEN:
- API call is made to get documents
THEN:
- Call fails
"""
with mock.patch.dict(
os.environ,
{
"PAPERLESS_ENABLE_HTTP_REMOTE_USER": "True",
"PAPERLESS_ENABLE_HTTP_REMOTE_USER_API": "False",
},
):
_parse_remote_user_settings()
response = self.client.get("/api/documents/")
# 403 testing locally, 401 on ci...
self.assertIn(
response.status_code,
[status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN],
)
response = self.client.get(
"/api/documents/",
headers={
"Remote-User": self.user.username,
},
)
self.assertIn(
response.status_code,
[status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN],
)
def test_remote_user_header_setting(self):
"""
GIVEN: