mirror of
https://github.com/discourse/discourse.git
synced 2024-12-11 21:03:57 +08:00
bfc3132bb2
What is the problem here? In multiple controllers, we are accepting a `limit` params but do not impose any upper bound on the values being accepted. Without an upper bound, we may be allowing arbituary users from generating DB queries which may end up exhausing the resources on the server. What is the fix here? A new `fetch_limit_from_params` helper method is introduced in `ApplicationController` that can be used by controller actions to safely get the limit from the params as a default limit and maximum limit has to be set. When an invalid limit params is encountered, the server will respond with the 400 response code.
154 lines
4.2 KiB
Ruby
154 lines
4.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class Admin::ApiController < Admin::AdminController
|
|
# Note: in the REST API, ApiKeys are referred to simply as "key"
|
|
# If we used "api_key", then our user provider would try to use the value for authentication
|
|
|
|
INDEX_LIMIT = 50
|
|
|
|
def index
|
|
offset = (params[:offset] || 0).to_i
|
|
limit = fetch_limit_from_params(default: INDEX_LIMIT, max: INDEX_LIMIT)
|
|
|
|
keys =
|
|
ApiKey
|
|
.where(hidden: false)
|
|
.includes(:user, :api_key_scopes)
|
|
# Sort revoked keys by revoked_at and active keys by created_at
|
|
.order("revoked_at DESC NULLS FIRST, created_at DESC")
|
|
.offset(offset)
|
|
.limit(limit)
|
|
|
|
render_json_dump(keys: serialize_data(keys, ApiKeySerializer), offset: offset, limit: limit)
|
|
end
|
|
|
|
def show
|
|
api_key = ApiKey.includes(:api_key_scopes).find_by!(id: params[:id])
|
|
render_serialized(api_key, ApiKeySerializer, root: "key")
|
|
end
|
|
|
|
def scopes
|
|
scopes =
|
|
ApiKeyScope
|
|
.scope_mappings
|
|
.reduce({}) do |memo, (resource, actions)|
|
|
memo.tap do |m|
|
|
m[resource] = actions.map do |k, v|
|
|
{
|
|
scope_id: "#{resource}:#{k}",
|
|
key: k,
|
|
name: k.to_s.gsub("_", " "),
|
|
params: v[:params],
|
|
urls: v[:urls],
|
|
}
|
|
end
|
|
end
|
|
end
|
|
|
|
render json: { scopes: scopes }
|
|
end
|
|
|
|
def update
|
|
api_key = ApiKey.find_by!(id: params[:id])
|
|
ApiKey.transaction do
|
|
api_key.update!(update_params)
|
|
log_api_key(api_key, UserHistory.actions[:api_key_update], changes: api_key.saved_changes)
|
|
end
|
|
render_serialized(api_key, ApiKeySerializer, root: "key")
|
|
end
|
|
|
|
def destroy
|
|
api_key = ApiKey.find_by!(id: params[:id])
|
|
ApiKey.transaction do
|
|
api_key.destroy
|
|
log_api_key(api_key, UserHistory.actions[:api_key_destroy])
|
|
end
|
|
render json: success_json
|
|
end
|
|
|
|
def create
|
|
api_key = ApiKey.new(update_params)
|
|
ApiKey.transaction do
|
|
api_key.created_by = current_user
|
|
api_key.api_key_scopes = build_scopes
|
|
if username = params.require(:key).permit(:username)[:username].presence
|
|
api_key.user = User.find_by_username(username)
|
|
raise Discourse::NotFound unless api_key.user
|
|
end
|
|
api_key.save!
|
|
log_api_key(api_key, UserHistory.actions[:api_key_create], changes: api_key.saved_changes)
|
|
end
|
|
render_serialized(api_key, ApiKeySerializer, root: "key")
|
|
end
|
|
|
|
def undo_revoke_key
|
|
api_key = ApiKey.find_by(id: params[:id])
|
|
raise Discourse::NotFound if api_key.blank?
|
|
|
|
ApiKey.transaction do
|
|
api_key.update(revoked_at: nil)
|
|
log_api_key_restore(api_key)
|
|
end
|
|
render_serialized(api_key, ApiKeySerializer)
|
|
end
|
|
|
|
def revoke_key
|
|
api_key = ApiKey.find_by(id: params[:id])
|
|
raise Discourse::NotFound if api_key.blank?
|
|
|
|
ApiKey.transaction do
|
|
api_key.update(revoked_at: Time.zone.now)
|
|
log_api_key_revoke(api_key)
|
|
end
|
|
render_serialized(api_key, ApiKeySerializer)
|
|
end
|
|
|
|
private
|
|
|
|
def build_scopes
|
|
params.require(:key)[:scopes].to_a.map do |scope_params|
|
|
resource, action = scope_params[:scope_id].split(":")
|
|
|
|
mapping = ApiKeyScope.scope_mappings.dig(resource.to_sym, action.to_sym)
|
|
raise Discourse::InvalidParameters if mapping.nil? # invalid mapping
|
|
|
|
ApiKeyScope.new(
|
|
resource: resource,
|
|
action: action,
|
|
allowed_parameters: build_params(scope_params, mapping[:params]),
|
|
)
|
|
end
|
|
end
|
|
|
|
def build_params(scope_params, params)
|
|
return if params.nil?
|
|
|
|
scope_params
|
|
.slice(*params)
|
|
.tap do |allowed_params|
|
|
allowed_params.each do |k, v|
|
|
v.blank? ? allowed_params.delete(k) : allowed_params[k] = v.split(",")
|
|
end
|
|
end
|
|
end
|
|
|
|
def update_params
|
|
editable_fields = [:description]
|
|
permitted_params = params.permit(key: [*editable_fields])[:key]
|
|
raise Discourse::InvalidParameters unless permitted_params
|
|
permitted_params
|
|
end
|
|
|
|
def log_api_key(*args)
|
|
StaffActionLogger.new(current_user).log_api_key(*args)
|
|
end
|
|
|
|
def log_api_key_revoke(*args)
|
|
StaffActionLogger.new(current_user).log_api_key_revoke(*args)
|
|
end
|
|
|
|
def log_api_key_restore(*args)
|
|
StaffActionLogger.new(current_user).log_api_key_restore(*args)
|
|
end
|
|
end
|