chg: [UI] abort 403 and 404

This commit is contained in:
terrtia 2024-09-06 14:32:25 +02:00
parent 8ab66e7309
commit df4969be82
No known key found for this signature in database
GPG key ID: 1E1B1F50D84613D0
4 changed files with 27 additions and 3 deletions

View file

@ -274,6 +274,14 @@ def _handle_client_error(e):
else:
return e
@app.errorhandler(403)
def error_page_not_found(e):
if request.path.startswith('/api/'): ## # TODO: add baseUrl
return Response(json.dumps({"status": "error", "reason": "403 Access Denied"}) + '\n', mimetype='application/json'), 403
else:
# avoid endpoint enumeration
return page_forbidden(e)
@app.errorhandler(404)
def error_page_not_found(e):
if request.path.startswith('/api/'): ## # TODO: add baseUrl
@ -289,6 +297,10 @@ def _handle_client_error(e):
else:
return e
@login_required
def page_forbidden(e):
return render_template("error/403.html"), 403
@login_required
def page_not_found(e):
# avoid endpoint enumeration

View file

@ -51,6 +51,10 @@ def api_validator(message, code):
def create_json_response(data, status_code):
if status_code == 403:
abort(403)
elif status_code == 404:
abort(404)
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code

View file

@ -9,7 +9,7 @@ import os
import sys
import json
from flask import render_template, jsonify, request, Blueprint, redirect, url_for, Response
from flask import render_template, jsonify, request, Blueprint, redirect, url_for, Response, abort
from flask_login import login_required, current_user
sys.path.append('modules')
@ -45,6 +45,10 @@ def api_validator(api_response):
return Response(json.dumps(api_response[0], indent=2, sort_keys=True), mimetype='application/json'), api_response[1]
def create_json_response(data, status_code):
if status_code == 403:
abort(403)
elif status_code == 404:
abort(404)
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
# ============= ROUTES ==============
@ -330,7 +334,7 @@ def tracker_edit():
tracker_uuid = request.args.get('uuid', None)
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
if res: # invalid access
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
return create_json_response(res[0], res[1])
tracker = Tracker.Tracker(tracker_uuid)
dict_tracker = tracker.get_meta(options={'description', 'level', 'mails', 'filters', 'tags', 'webhooks'})
@ -446,7 +450,7 @@ def tracker_objects():
tracker_uuid = request.args.get('uuid', None)
res = Tracker.api_check_tracker_acl(tracker_uuid, user_org, user_id, user_role, 'edit')
if res: # invalid access
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
return create_json_response(res[0], res[1])
tracker = Tracker.Tracker(tracker_uuid)
meta = tracker.get_meta(options={'description', 'sparkline', 'tags', 'nb_objs'})

View file

@ -34,6 +34,10 @@ bootstrap_label = Flask_config.bootstrap_label
# ============ FUNCTIONS ============
def create_json_response(data, status_code):
if status_code == 403:
abort(403)
elif status_code == 404:
abort(404)
return Response(json.dumps(data, indent=2, sort_keys=True), mimetype='application/json'), status_code
# ============= ROUTES ==============