inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-07-31 17:11:34 +00:00
Code Activity

Enhanced permission checks for API (#10096)

Browse Source 
* Enhanced permission checks for API

- Ensure user is authenticated
- Raise PermissionDenied

* Add unit test for unauthenticated user

* Exclude lines from coverage
This commit is contained in:
Oliver
2025-07-29 10:43:25 +10:00
committed by GitHub
parent aee45887b3
commit d01869a917
3 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/backend/InvenTree/InvenTree/permissions.py
View File

@@ -363,6 +363,9 @@ class UserSettingsPermissionsOrScope(OASTokenMixin, permissions.BasePermission):
except AttributeError: # pragma: no cover except AttributeError: # pragma: no cover
return False return False
if not user.is_authenticated:
return False
return user == obj.user return user == obj.user
def has_permission(self, request, view): def has_permission(self, request, view):

7
src/backend/InvenTree/common/api.py
View File

@@ -275,6 +275,9 @@ class UserSettingsList(SettingsList):
queryset = super().filter_queryset(queryset) queryset = super().filter_queryset(queryset)
if not user.is_authenticated: # pragma: no cover
raise PermissionDenied('User must be authenticated to access user settings')
queryset = queryset.filter(user=user) queryset = queryset.filter(user=user)
return queryset return queryset
@@ -351,6 +354,10 @@ class NotificationList(NotificationMessageMixin, BulkDeleteMixin, ListAPI):
return common.models.NotificationMessage.objects.none() return common.models.NotificationMessage.objects.none()
queryset = super().filter_queryset(queryset) queryset = super().filter_queryset(queryset)
if not user.is_authenticated: # pragma: no cover
raise PermissionDenied('User must be authenticated to access notifications')
queryset = queryset.filter(user=user) queryset = queryset.filter(user=user)
return queryset return queryset

15
src/backend/InvenTree/common/tests.py
View File

@@ -661,6 +661,21 @@ class GlobalSettingsApiTest(InvenTreeAPITestCase):
class UserSettingsApiTest(InvenTreeAPITestCase): class UserSettingsApiTest(InvenTreeAPITestCase):
"""Tests for the user settings API.""" """Tests for the user settings API."""
def test_unauthenticated_user(self):
"""Test access with unauthenticated user."""
self.client.logout()
# Check list API endpoint
url = reverse('api-user-setting-list')
response = self.get(url, expected_code=401).data
self.assertIn(
'Authentication credentials were not provided', str(response['detail'])
)
# Check the detail API endpoint
url = reverse('api-user-setting-detail', kwargs={'key': 'LABEL_INLINE'})
self.get(url, expected_code=401)
def test_user_settings_api_list(self): def test_user_settings_api_list(self):
"""Test list URL for user settings.""" """Test list URL for user settings."""
url = reverse('api-user-setting-list') url = reverse('api-user-setting-list')