From 76e82457e3a9c5273a555a86bba961e145f3c1a3 Mon Sep 17 00:00:00 2001 From: bruntib Date: Thu, 24 Oct 2024 15:27:30 +0200 Subject: [PATCH] [fix] Get product configuration with view permission The getProductConfiguration() function on Product endpoint requires a current product in the URL for checking view permission. The requirement of having view permission has been added in 8953b30f6d17597635ec59bb943683aacb216619. However there is no "current product" in the Product endpoint URL queries, but the product id is provided through a function parameter. --- web/server/codechecker_server/api/product_server.py | 6 +++++- web/tests/functional/products/__init__.py | 1 + web/tests/functional/products/test_products.py | 13 +++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/web/server/codechecker_server/api/product_server.py b/web/server/codechecker_server/api/product_server.py index 5daf42118a..f7cbaeadb6 100644 --- a/web/server/codechecker_server/api/product_server.py +++ b/web/server/codechecker_server/api/product_server.py @@ -67,6 +67,8 @@ def __require_permission(self, required, args=None): with DBSession(self.__session) as session: if args is None: args = dict(self.__permission_args) + + if 'config_db_session' not in args: args['config_db_session'] = session # Anonymous access is only allowed if authentication is @@ -254,7 +256,9 @@ def getProductConfiguration(self, product_id): Get the product configuration --- WITHOUT THE DB PASSWORD --- of the given product. """ - self.__require_permission([permissions.PRODUCT_VIEW]) + self.__require_permission([permissions.PRODUCT_VIEW], { + 'productID': product_id + }) with DBSession(self.__session) as session: product = session.query(Product).get(product_id) diff --git a/web/tests/functional/products/__init__.py b/web/tests/functional/products/__init__.py index 9f0643b240..520725ddc9 100644 --- a/web/tests/functional/products/__init__.py +++ b/web/tests/functional/products/__init__.py @@ -96,6 +96,7 @@ def setup_class_common(workspace_name): # Export the test configuration to the workspace. env.export_test_cfg(TEST_WORKSPACE, test_config) + env.enable_auth(TEST_WORKSPACE) def teardown_class_common(): diff --git a/web/tests/functional/products/test_products.py b/web/tests/functional/products/test_products.py index 41982e3fbd..ee8da77ef1 100644 --- a/web/tests/functional/products/test_products.py +++ b/web/tests/functional/products/test_products.py @@ -181,6 +181,19 @@ def test_get_product_data(self): Confidentiality.CONFIDENTIAL, "Default Confidentiality was not Confidential") + def test_get_product_config_auth_server(self): + """ + Test if product configuration can be retrieved from an authenticated + server. + """ + pr_client = env.setup_product_client( + self.test_workspace, product=self.product_name) + product_id = pr_client.getCurrentProduct().id + + pr_client = env.setup_product_client(self.test_workspace) + pr_config = pr_client.getProductConfiguration(product_id) + self.assertIsNotNone(pr_config) + def test_editing(self): """ Test editing the product details (without reconnecting it).