Properly recognize app session keys everywhere. Also fixed a bug where the ApiUser was not properly provisioned with his roles.

2014-11-14 17:58:42 +01:00 · 2014-11-14 17:58:42 +01:00 · e9beffc799
commit e9beffc799
parent fe9dd5ef28
4 changed files with 9 additions and 29 deletions
--- a/src/octoprint/server/init.py
+++ b/src/octoprint/server/init.py
@ -165,6 +165,9 @@ def on_identity_loaded(sender, identity):


 def load_user(id):
+	if id == "_api":
+		return users.ApiUser()
+
 	if session and "usersession.id" in session:
 		sessionid = session["usersession.id"]
 	else:
--- a/src/octoprint/server/util/init.py
+++ b/src/octoprint/server/util/init.py
@ -18,14 +18,13 @@ from . import watchdog

 def get_user_for_apikey(apikey):
 	if settings().get(["api", "enabled"]) and apikey is not None:
-		if apikey == settings().get(["api", "key"]):
-			# master key was used
+		if apikey == settings().get(["api", "key"]) or octoprint.server.appSessionManager.validate(apikey):
+			# master key or an app session key was used
 			return ApiUser()
-		else:
+		elif octoprint.server.userManager is not None:
 			# user key might have been used
 			return octoprint.server.userManager.findUser(apikey=apikey)
-	else:
-		return None
+	return None


 def get_api_key(request):
--- a/src/octoprint/server/util/flask.py
+++ b/src/octoprint/server/util/flask.py
@ -123,15 +123,7 @@ def restricted_access(func, api_enabled=True):
 		# if API is globally enabled, enabled for this request and an api key is provided that is not the current UI API key, try to use that
 		apikey = octoprint.server.util.get_api_key(flask.request)
 		if settings().get(["api", "enabled"]) and api_enabled and apikey is not None and apikey != octoprint.server.UI_API_KEY:
-			if apikey == settings().get(["api", "key"]):
-				# master key was used
-				user = octoprint.users.ApiUser()
-			elif octoprint.server.appSessionManager.validate(apikey):
-				# valid app session key was used
-				user = octoprint.users.ApiUser()
-			else:
-				# user key might have been used
-				user = octoprint.server.userManager.findUser(apikey=apikey)
+			user = octoprint.server.util.get_user_for_apikey(apikey)

 			if user is None:
 				return flask.make_response("Invalid API key", 401)
@ -144,20 +136,6 @@ def restricted_access(func, api_enabled=True):
 	return decorated_view


-def api_access(func):
-	@functools.wraps(func)
-	def decorated_view(*args, **kwargs):
-		if not settings().get(["api", "enabled"]):
-			flask.make_response("API disabled", 401)
-		apikey = octoprint.server.util.get_api_key(flask.request)
-		if apikey is None:
-			flask.make_response("No API key provided", 401)
-		if apikey != settings().get(["api", "key"]):
-			flask.make_response("Invalid API key", 403)
-		return func(*args, **kwargs)
-	return decorated_view
-
-
 class AppSessionManager(object):

 	VALIDITY_UNVERIFIED = 1 * 60 # 1 minute
--- a/src/octoprint/users.py
+++ b/src/octoprint/users.py
@ -411,4 +411,4 @@ def dummy_identity_loader():

 class ApiUser(User):
 	def __init__(self):
-		User.__init__(self, "api", "", True, UserManager.valid_roles)
+		User.__init__(self, "_api", "", True, UserManager.valid_roles)