Enhanced permission checks for API (#10096)

* Enhanced permission checks for API - Ensure user is authenticated - Raise PermissionDenied * Add unit test for unauthenticated user * Exclude lines from coverage
2025-07-30 00:21:34 +00:00 · 2025-07-29 10:43:25 +10:00
parent aee45887b3
commit d01869a917
3 changed files with 25 additions and 0 deletions
--- a/src/backend/InvenTree/InvenTree/permissions.py
+++ b/src/backend/InvenTree/InvenTree/permissions.py
@@ -363,6 +363,9 @@ class UserSettingsPermissionsOrScope(OASTokenMixin, permissions.BasePermission):
        except AttributeError:  # pragma: no cover
            return False

+        if not user.is_authenticated:
+            return False
+
        return user == obj.user

    def has_permission(self, request, view):
--- a/src/backend/InvenTree/common/api.py
+++ b/src/backend/InvenTree/common/api.py
@@ -275,6 +275,9 @@ class UserSettingsList(SettingsList):

        queryset = super().filter_queryset(queryset)

+        if not user.is_authenticated:  # pragma: no cover
+            raise PermissionDenied('User must be authenticated to access user settings')
+
        queryset = queryset.filter(user=user)

        return queryset
@@ -351,6 +354,10 @@ class NotificationList(NotificationMessageMixin, BulkDeleteMixin, ListAPI):
            return common.models.NotificationMessage.objects.none()

        queryset = super().filter_queryset(queryset)
+
+        if not user.is_authenticated:  # pragma: no cover
+            raise PermissionDenied('User must be authenticated to access notifications')
+
        queryset = queryset.filter(user=user)
        return queryset

--- a/src/backend/InvenTree/common/tests.py
+++ b/src/backend/InvenTree/common/tests.py
@@ -661,6 +661,21 @@ class GlobalSettingsApiTest(InvenTreeAPITestCase):
 class UserSettingsApiTest(InvenTreeAPITestCase):
    """Tests for the user settings API."""

+    def test_unauthenticated_user(self):
+        """Test access with unauthenticated user."""
+        self.client.logout()
+
+        # Check list API endpoint
+        url = reverse('api-user-setting-list')
+        response = self.get(url, expected_code=401).data
+        self.assertIn(
+            'Authentication credentials were not provided', str(response['detail'])
+        )
+
+        # Check the detail API endpoint
+        url = reverse('api-user-setting-detail', kwargs={'key': 'LABEL_INLINE'})
+        self.get(url, expected_code=401)
+
    def test_user_settings_api_list(self):
        """Test list URL for user settings."""
        url = reverse('api-user-setting-list')