From 86dbdd2e0373f503e25ec4cbb07796b02375d63e Mon Sep 17 00:00:00 2001 From: Jose Contreras Date: Thu, 14 Sep 2017 13:15:18 -0400 Subject: [PATCH 1/2] Block jorgee user agent in nginx configuration. --- app/config/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/config/nginx.conf b/app/config/nginx.conf index af53850..a3e0528 100644 --- a/app/config/nginx.conf +++ b/app/config/nginx.conf @@ -22,6 +22,9 @@ http { listen [::]:80; server_name $DOMAIN; + if ($http_user_agent ~ 'Mozilla/5.0 Jorgee') { + return 403; + } location / { include uwsgi_params; uwsgi_pass unix:$CODEROOT/uwsgi.sock; -- GitLab From c6948da3695becf110e9e021891b609aa5e78461 Mon Sep 17 00:00:00 2001 From: Conrad Schloer Date: Thu, 14 Sep 2017 15:38:08 -0400 Subject: [PATCH 2/2] Check if permissions are required before interacting with object (#33) * Check if permissions are required before interacting with object * Check if key is in the payload --- app/permissions/auth.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/app/permissions/auth.py b/app/permissions/auth.py index 360b77c..fb6bfbd 100644 --- a/app/permissions/auth.py +++ b/app/permissions/auth.py @@ -63,11 +63,15 @@ class AuthNeed(Permission): # Check permissions # The self.bool_ variable is a boolean if no value is passed in - CLAIMS_NAMESPACE = current_app.config['AUTH0_CLAIMS_NAMESPACE'] - actual_permissions = payload['{}permissions'.format(CLAIMS_NAMESPACE)] - for permission in self.required_permissions: - if permission not in actual_permissions: + if self.required_permissions: + CLAIMS_NAMESPACE = current_app.config['AUTH0_CLAIMS_NAMESPACE'] + permission_key = '{}permissions'.format(CLAIMS_NAMESPACE) + if permission_key not in payload: return False + actual_permissions = payload[permission_key] + for permission in self.required_permissions: + if permission not in actual_permissions: + return False return True return False -- GitLab