From 7afbbcae581c051db3aae70a455f532fdf6e33a2 Mon Sep 17 00:00:00 2001 From: Ivan Date: Mon, 25 Nov 2024 16:43:49 -0800 Subject: [PATCH] Fix permission check for read-only API keys --- store/app/model.py | 11 ++++++++++- store/app/routers/teleop/webrtc.py | 7 +++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/store/app/model.py b/store/app/model.py index 4d3fa1f6..48fe4811 100644 --- a/store/app/model.py +++ b/store/app/model.py @@ -9,7 +9,7 @@ from datetime import datetime, timedelta from typing import Literal, Self, cast, get_args -from pydantic import BaseModel +from pydantic import BaseModel, field_validator from store.app.errors import InternalError from store.app.utils.password import hash_password @@ -152,6 +152,15 @@ class APIKey(StoreBaseModel): ttl: int | None = None created_at: int + @field_validator("permissions", mode="before") + @classmethod + def convert_permissions_to_set( + cls, v: list[APIKeyPermission] | set[APIKeyPermission] | None + ) -> set[APIKeyPermission] | None: + if isinstance(v, list): + return set(v) + return v + @classmethod def create(cls, user_id: str, source: APIKeySource, permissions: APIKeyPermissionSet) -> Self: if permissions == "full": diff --git a/store/app/routers/teleop/webrtc.py b/store/app/routers/teleop/webrtc.py index 7e50fc2d..7926ff61 100644 --- a/store/app/routers/teleop/webrtc.py +++ b/store/app/routers/teleop/webrtc.py @@ -11,7 +11,10 @@ from store.app.db import Crud from store.app.model import TeleopICECandidate, User -from store.app.security.user import get_session_user_with_write_permission +from store.app.security.user import ( + get_session_user_with_read_permission, + get_session_user_with_write_permission, +) router = APIRouter() @@ -84,7 +87,7 @@ class CheckAuthResponse(BaseModel): @router.get("/check", response_model=CheckAuthResponse) async def check_auth( - user: Annotated[User, Depends(get_session_user_with_write_permission)], + user: Annotated[User, Depends(get_session_user_with_read_permission)], ) -> CheckAuthResponse: """Validates the user's API key and returns their user ID.""" return CheckAuthResponse(user_id=user.id)