mirror of https://github.com/CIRCL/AIL-framework
chg: [UI] abort 403 and 404
parent
8ab66e7309
commit
df4969be82
|
@ -274,6 +274,14 @@ def _handle_client_error(e):
|
||||||
else:
|
else:
|
||||||
return e
|
return e
|
||||||
|
|
||||||
|
@app.errorhandler(403)
|
||||||
|
def error_page_not_found(e):
|
||||||
|
if request.path.startswith('/api/'): ## # TODO: add baseUrl
|
||||||
|
return Response(json.dumps({"status": "error", "reason": "403 Access Denied"}) + '\n', mimetype='application/json'), 403
|
||||||
|
else:
|
||||||
|
# avoid endpoint enumeration
|
||||||
|
return page_forbidden(e)
|
||||||
|
|
||||||
@app.errorhandler(404)
|
@app.errorhandler(404)
|
||||||
def error_page_not_found(e):
|
def error_page_not_found(e):
|
||||||
if request.path.startswith('/api/'): ## # TODO: add baseUrl
|
if request.path.startswith('/api/'): ## # TODO: add baseUrl
|
||||||
|
@ -289,6 +297,10 @@ def _handle_client_error(e):
|
||||||
else:
|
else:
|
||||||
return e
|
return e
|
||||||
|
|
||||||
|
@login_required
|
||||||
|
def page_forbidden(e):
|
||||||
|
return render_template("error/403.html"), 403
|
||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
def page_not_found(e):
|
def page_not_found(e):
|
||||||
# avoid endpoint enumeration
|
# avoid endpoint enumeration
|
||||||
|
|
|
@ -51,6 +51,10 @@ def api_validator(message, code):
|
||||||
|
|
||||||
|
|
||||||
def create_json_response(data, status_code):
|
def create_json_response(data, status_code):
|
||||||
|
if status_code == 403:
|
||||||
|
abort(403)
|
||||||
|
elif status_code == 404:
|
||||||
|
abort(404)
|
||||||
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
|
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ import os
|
||||||
import sys
|
import sys
|
||||||
import json
|
import json
|
||||||
|
|
||||||
from flask import render_template, jsonify, request, Blueprint, redirect, url_for, Response
|
from flask import render_template, jsonify, request, Blueprint, redirect, url_for, Response, abort
|
||||||
from flask_login import login_required, current_user
|
from flask_login import login_required, current_user
|
||||||
|
|
||||||
sys.path.append('modules')
|
sys.path.append('modules')
|
||||||
|
@ -45,6 +45,10 @@ def api_validator(api_response):
|
||||||
return Response(json.dumps(api_response[0], indent=2, sort_keys=True), mimetype='application/json'), api_response[1]
|
return Response(json.dumps(api_response[0], indent=2, sort_keys=True), mimetype='application/json'), api_response[1]
|
||||||
|
|
||||||
def create_json_response(data, status_code):
|
def create_json_response(data, status_code):
|
||||||
|
if status_code == 403:
|
||||||
|
abort(403)
|
||||||
|
elif status_code == 404:
|
||||||
|
abort(404)
|
||||||
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
|
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
|
||||||
|
|
||||||
# ============= ROUTES ==============
|
# ============= ROUTES ==============
|
||||||
|
@ -330,7 +334,7 @@ def tracker_edit():
|
||||||
tracker_uuid = request.args.get('uuid', None)
|
tracker_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if res: # invalid access
|
if res: # invalid access
|
||||||
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
return create_json_response(res[0], res[1])
|
||||||
|
|
||||||
tracker = Tracker.Tracker(tracker_uuid)
|
tracker = Tracker.Tracker(tracker_uuid)
|
||||||
dict_tracker = tracker.get_meta(options={'description', 'level', 'mails', 'filters', 'tags', 'webhooks'})
|
dict_tracker = tracker.get_meta(options={'description', 'level', 'mails', 'filters', 'tags', 'webhooks'})
|
||||||
|
@ -446,7 +450,7 @@ def tracker_objects():
|
||||||
tracker_uuid = request.args.get('uuid', None)
|
tracker_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
|
||||||
if res: # invalid access
|
if res: # invalid access
|
||||||
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
return create_json_response(res[0], res[1])
|
||||||
|
|
||||||
tracker = Tracker.Tracker(tracker_uuid)
|
tracker = Tracker.Tracker(tracker_uuid)
|
||||||
meta = tracker.get_meta(options={'description', 'sparkline', 'tags', 'nb_objs'})
|
meta = tracker.get_meta(options={'description', 'sparkline', 'tags', 'nb_objs'})
|
||||||
|
|
|
@ -34,6 +34,10 @@ bootstrap_label = Flask_config.bootstrap_label
|
||||||
|
|
||||||
# ============ FUNCTIONS ============
|
# ============ FUNCTIONS ============
|
||||||
def create_json_response(data, status_code):
|
def create_json_response(data, status_code):
|
||||||
|
if status_code == 403:
|
||||||
|
abort(403)
|
||||||
|
elif status_code == 404:
|
||||||
|
abort(404)
|
||||||
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
|
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
|
||||||
|
|
||||||
# ============= ROUTES ==============
|
# ============= ROUTES ==============
|
||||||
|
|
Loading…
Reference in New Issue