harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Don't include ping URLs in API responses when the read-only key is used

Browse Source
This commit is contained in:
Pēteris Caune 2019-07-04 09:36:27 +03:00
parent 3eef3c982f
commit 1f1b1aedca
No known key found for this signature in database
GPG Key ID: E28D7679E9A9EDE2
6 changed files with 25 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file.
- Show check's code instead of full URL on 992px - 1200px wide screens. (#253)
- Add WhatsApp integration (uses Twilio same as the SMS integration)
- Webhooks support the $TAGS placeholder
- Don't include ping URLs in API responses when the read-only key is used
### Bug Fixes
- Fix badges for tags containing special characters (#240, #237)

2
hc/api/decorators.py
View File

@ -27,6 +27,7 @@ def authorize(f):
except Project.DoesNotExist:
return error("wrong api key", 401)
request.readonly = False
return f(request, *args, **kwds)
return wrapper
@ -50,6 +51,7 @@ def authorize_read(f):
except Project.DoesNotExist:
return error("wrong api key", 401)
request.readonly = api_key == request.project.api_key_readonly
return f(request, *args, **kwds)
return wrapper

26
hc/api/models.py
View File

@ -167,26 +167,34 @@ class Check(models.Model):
def matches_tag_set(self, tag_set):
return tag_set.issubset(self.tags_list())
def to_dict(self):
update_rel_url = reverse("hc-api-update", args=[self.code])
pause_rel_url = reverse("hc-api-pause", args=[self.code])
channel_codes = [str(ch.code) for ch in self.channel_set.all()]
def channels_str(self):
""" Return a comma-separated string of assigned channel codes. """
codes = self.channel_set.order_by("code").values_list("code", flat=True)
return ",".join(map(str, codes))
def to_dict(self, readonly=False):
result = {
"name": self.name,
"ping_url": self.url(),
"update_url": settings.SITE_ROOT + update_rel_url,
"pause_url": settings.SITE_ROOT + pause_rel_url,
"tags": self.tags,
"grace": int(self.grace.total_seconds()),
"n_pings": self.n_pings,
"status": self.get_status(),
"channels": ",".join(sorted(channel_codes)),
"last_ping": isostring(self.last_ping),
"next_ping": isostring(self.get_grace_start()),
"desc": self.desc,
}
if not readonly:
update_rel_url = reverse("hc-api-update", args=[self.code])
pause_rel_url = reverse("hc-api-pause", args=[self.code])
result["ping_url"] = self.url()
result["update_url"] = settings.SITE_ROOT + update_rel_url
result["pause_url"] = settings.SITE_ROOT + pause_rel_url
result["channels"] = self.channels_str()
result["desc"] = self.desc
if self.kind == "simple":
result["timeout"] = int(self.timeout.total_seconds())
elif self.kind == "cron":

7
hc/api/tests/test_list_channels.py
View File

@ -51,10 +51,3 @@ class ListChannelsTestCase(BaseTestCase):
self.assertEqual(r.status_code, 200)
self.assertContains(r, "Email to Alice")
def test_readonly_key_works(self):
self.project.api_key_readonly = "R" * 32
self.project.save()
r = self.client.get("/api/v1/channels/", HTTP_X_API_KEY="R" * 32)
self.assertEqual(r.status_code, 200)

3
hc/api/tests/test_list_checks.py
View File

@ -150,3 +150,6 @@ class ListChecksTestCase(BaseTestCase):
r = self.client.get("/api/v1/checks/", HTTP_X_API_KEY="R" * 32)
self.assertEqual(r.status_code, 200)
# When using readonly keys, the ping URLs should not be exposed:
self.assertNotContains(r, self.a1.url())

4
hc/api/views.py
View File

@ -121,7 +121,7 @@ def get_checks(request):
for check in q:
# precise, final filtering
if not tags or check.matches_tag_set(tags):
checks.append(check.to_dict())
checks.append(check.to_dict(readonly=request.readonly))
return JsonResponse({"checks": checks})
@ -153,7 +153,7 @@ def checks(request):
@cors("GET")
@validate_json()
@authorize_read
@authorize
def channels(request):
q = Channel.objects.filter(project=request.project)
channels = [ch.to_dict() for ch in q]