jprdonnelly/redash
1
0
Fork 0
mirror of https://github.com/getredash/redash.git synced 2025-12-23 20:01:59 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2071 from getredash/bugfixes

Browse Source 
Fix #1824: allow only user API key to be used with query refresh API.
This commit is contained in:
Arik Fraimovich
2017-11-01 15:12:53 +02:00
committed by GitHub
parent 59d6eb662c 4e4a3e13ab
commit a799303f53
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
redash/handlers/queries.py
View File

@@ -266,6 +266,12 @@ class QueryRefreshResource(BaseResource):
Responds with query task details.
"""
# TODO: this should actually check for permissions, but because currently you can only
# get here either with a user API key or a query one, we can just check whether it's
# an api key (meaning this is a query API key, which only grants read access).
if self.current_user.is_api_user():
abort(403, message="Please use a user API key.")
query = get_object_or_404(models.Query.get_by_id_and_org, query_id, self.current_org)
require_access(query.groups, self.current_user, not_view_only)

7
tests/handlers/test_queries.py
View File

@@ -158,6 +158,13 @@ class QueryRefreshTest(BaseTestCase):
user = self.factory.create_user(group_ids=[group.id])
response = self.make_request('post', self.path, user=user)
self.assertEqual(403, response.status_code)
def test_refresh_forbiden_with_query_api_key(self):
response = self.make_request('post', '{}?api_key={}'.format(self.path, self.query.api_key), user=False)
self.assertEqual(403, response.status_code)
response = self.make_request('post', '{}?api_key={}'.format(self.path, self.factory.user.api_key), user=False)
self.assertEqual(200, response.status_code)
class TestQueryForkResourcePost(BaseTestCase):