Skip to content

Commit

Permalink
fix: Admin should not bypass auth when using API key (#2257)
Browse files Browse the repository at this point in the history
  • Loading branch information
JanCizmar authored Apr 17, 2024
1 parent 7f5b717 commit a0d8610
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ class ProjectAuthorizationInterceptor(
val missingScopes = getMissingScopes(requiredScopes, scopes.toSet())

if (missingScopes.isNotEmpty()) {
if (!isAdmin) {
if (!isAdmin || authenticationFacade.isProjectApiKeyAuth) {
logger.debug(
"Rejecting access to proj#{} for user#{} - Insufficient permissions",
project.id,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import io.tolgee.fixtures.andIsForbidden
import io.tolgee.fixtures.andIsNotFound
import io.tolgee.fixtures.andIsOk
import io.tolgee.model.Project
import io.tolgee.model.UserAccount
import io.tolgee.model.enums.Scope
import io.tolgee.security.OrganizationHolder
import io.tolgee.security.ProjectHolder
Expand Down Expand Up @@ -156,6 +157,22 @@ class ProjectAuthorizationInterceptorTest {
mockMvc.perform(MockMvcRequestBuilders.get("/v2/projects/1337/requires-single-scope")).andIsOk
}

@Test
fun `rejects access if the user is admin and authorizes with API key`() {
Mockito.`when`(authenticationFacade.isApiAuthentication).thenReturn(false)
Mockito.`when`(userAccount.role).thenReturn(UserAccount.Role.ADMIN)

Mockito.`when`(securityService.getCurrentPermittedScopes(1337L))
.thenReturn(setOf(Scope.KEYS_VIEW))

mockMvc.perform(MockMvcRequestBuilders.get("/v2/projects/1337/requires-single-scope")).andIsOk

Mockito.`when`(authenticationFacade.isProjectApiKeyAuth).thenReturn(true)
Mockito.`when`(userAccount.role).thenReturn(UserAccount.Role.ADMIN)

mockMvc.perform(MockMvcRequestBuilders.get("/v2/projects/1337/requires-single-scope")).andIsForbidden
}

@Test
fun `rejects access if the user does not have the required scope (multiple scopes)`() {
Mockito.`when`(securityService.getCurrentPermittedScopes(1337L))
Expand Down

0 comments on commit a0d8610

Please sign in to comment.