Skip to content

Commit

Permalink
restrict kernel uploads to verified members and admins (#641)
Browse files Browse the repository at this point in the history 
* restrict krec/kernel uploads to verified members and admins

* Removed unused import

* store/app/routers/krecs.py
  • Loading branch information
@ivntsng
ivntsng authored Nov 26, 2024
1 parent e93acff commit 731fcb2
Show file tree
Hide file tree
Showing 5 changed files with 70 additions and 4 deletions.
2 changes: 2 additions & 0 deletions frontend/src/components/pages/Profile.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,8 @@ export const RenderProfile = (props: RenderProfileProps) => {
return "Moderator";
case permissions.includes("is_content_manager"):
return "Content Manager";
case permissions.includes("is_verified_member"):
return "Verified Member";
default:
return "Member";
}
Expand Down
51 changes: 48 additions & 3 deletions frontend/src/gen/api.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1276,6 +1276,26 @@ export interface paths {
patch?: never;
trace?: never;
};
"/teleop/rtc/check": {
parameters: {
query?: never;
header?: never;
path?: never;
cookie?: never;
};
/**
* Check Auth
* @description Validates the user's API key and returns their user ID.
*/
get: operations["check_auth_teleop_rtc_check_get"];
put?: never;
post?: never;
delete?: never;
options?: never;
head?: never;
patch?: never;
trace?: never;
};
"/krecs/upload": {
parameters: {
query?: never;
Expand Down Expand Up @@ -1462,6 +1482,11 @@ export interface components {
/** Details */
details: string;
};
/** CheckAuthResponse */
CheckAuthResponse: {
/** User Id */
user_id: string;
};
/** ClientIdResponse */
ClientIdResponse: {
/** Client Id */
Expand Down Expand Up @@ -1851,7 +1876,7 @@ export interface components {
/** Google Id */
google_id: string | null;
/** Permissions */
permissions: ("is_admin" | "is_mod" | "is_content_manager")[] | null;
permissions: ("is_admin" | "is_mod" | "is_content_manager" | "is_verified_member")[] | null;
/** First Name */
first_name: string | null;
/** Last Name */
Expand Down Expand Up @@ -2027,7 +2052,7 @@ export interface components {
/** Username */
username: string;
/** Permissions */
permissions?: ("is_admin" | "is_mod" | "is_content_manager")[] | null;
permissions?: ("is_admin" | "is_mod" | "is_content_manager" | "is_verified_member")[] | null;
/** Created At */
created_at?: number | null;
/** Updated At */
Expand Down Expand Up @@ -2306,7 +2331,7 @@ export interface components {
/** Username */
username: string;
/** Permissions */
permissions?: ("is_admin" | "is_mod" | "is_content_manager")[] | null;
permissions?: ("is_admin" | "is_mod" | "is_content_manager" | "is_verified_member")[] | null;
/** Created At */
created_at: number;
/** Updated At */
Expand Down Expand Up @@ -4620,6 +4645,26 @@ export interface operations {
};
};
};
check_auth_teleop_rtc_check_get: {
parameters: {
query?: never;
header?: never;
path?: never;
cookie?: never;
};
requestBody?: never;
responses: {
/** @description Successful Response */
200: {
headers: {
[name: string]: unknown;
};
content: {
"application/json": components["schemas"]["CheckAuthResponse"];
};
};
};
};
create_krec_krecs_upload_post: {
parameters: {
query?: never;
Expand Down
2 changes: 1 addition & 1 deletion store/app/model.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ class StoreBaseModel(BaseModel):
id: str


UserPermission = Literal["is_admin", "is_mod", "is_content_manager"]
UserPermission = Literal["is_admin", "is_mod", "is_content_manager", "is_verified_member"]


class UserStripeConnect(BaseModel):
Expand Down
6 changes: 6 additions & 0 deletions store/app/routers/artifacts.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,12 @@ async def get_presigned_url(
detail="Filename was not provided",
)

user_permissions = user.permissions or set()
if not ("is_admin" in user_permissions or "is_verified_member" in user_permissions):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN, detail="Only verified members and admins can upload kernel images"
)

if not Path(filename).suffix.lower() == ".img":
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST, detail="Only .img files are supported for kernel uploads"
Expand Down
13 changes: 13 additions & 0 deletions store/app/routers/teleop/webrtc.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

from fastapi import APIRouter, Depends, WebSocket, WebSocketDisconnect
from fastapi.responses import StreamingResponse
from pydantic import BaseModel

from store.app.db import Crud
from store.app.model import TeleopICECandidate, User
Expand Down Expand Up @@ -75,3 +76,15 @@ async def poll_ice_candidates(
content=ice_candidates_generator(user.id, robot_id, crud),
media_type="text/event-stream",
)


class CheckAuthResponse(BaseModel):
user_id: str


@router.get("/check", response_model=CheckAuthResponse)
async def check_auth(
user: Annotated[User, Depends(get_session_user_with_write_permission)],
) -> CheckAuthResponse:
"""Validates the user's API key and returns their user ID."""
return CheckAuthResponse(user_id=user.id)

0 comments on commit 731fcb2

Please sign in to comment.