Merge branch 'viur-framework:main' into master

Grashalmbeisser · Nov 30, 2023 · 93f20c6 · 93f20c6
2 parents 018c909 + 8809c50
commit 93f20c6
Show file tree

Hide file tree

Showing 11 changed files with 480 additions and 465 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,22 @@
 
 This file documents any relevant changes done to ViUR-core since version 3.
 
+## [3.5.7]
+
+- fix: Update dependencies, urllib3 CVE-2023-45803 (#938)
+- fix: User-module default customAction triggers require skey (#939)
+
+## [3.5.6]
+
+- fix: `access` in method description must not be a generator object (#936)
+- fix: Always set `Secure` mode for session cookie (#931)
+
+## [3.5.5]
+
+- fix: Raise an `AttributeError` in case of `KeyError` in `SkeletonInstance.boneMap` (#930)
+- fix: refactor `pathlist` to `path_list` (#928)
+- feat: Add user admin login context (#901)
+
 ## [3.5.4]
 
 - fix: Add `allow_empty=True` for tasks/execute (#922)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -71,7 +71,6 @@ Try to keep external dependencies low.
 
 In case you have appropriate permissions, a release can be done this way:
 
-- Make sure all hotfixes from `main` are in `develop` as well (`git merge main`)
 - Bump version number in `src/viur/core/version.py`
 - Update [`CHANGELOG.md`](/CHANGELOG.md) and also check version number there
   - To quickly generate a changelog, run `git log --pretty="- %s" main..develop`
@@ -80,7 +79,8 @@ In case you have appropriate permissions, a release can be done this way:
   - Ensure any old files are deleted by running `pipenv run clean`
   - Build the wheel using `pipenv run build`
   - Release the package `pipenv run release`
-- When all went well, finally commit and create a tag equally to the version number in `src/viur/core/version.py`
+- When all went well, commit and create a tag equally to the version number in `src/viur/core/version.py`
+- Finally, make sure all hotfixes from `main` are in `develop` as well (`git checkout develop && git pull && git merge main`)
 
 ## Branches
 

diff --git a/Pipfile b/Pipfile
@@ -28,7 +28,7 @@ qrcode = "~=7.0"
 requests = "~=2.0"
 tzlocal = "~=5.0"
 user-agents = "~=2.0"
-urllib3 = "==1.26.17"  # for appengine-python-standard used by some projects (https://github.com/GoogleCloudPlatform/appengine-python-standard/blob/main/setup.py#L28)
+urllib3 = "==1.26.18"  # for appengine-python-standard used by some projects (https://github.com/GoogleCloudPlatform/appengine-python-standard/blob/main/setup.py#L28)
 #viur-datastore = "~=1.0"
 viur-datastore = "==1.3.11"
 webob = "~=1.0"

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/src/viur/core/cache.py b/src/viur/core/cache.py
@@ -125,8 +125,8 @@ def wrapF(self, *args, **kwargs) -> Union[str, bytes]:
                 logging.debug("Caching is disabled by config")
             return f(self, *args, **kwargs)
         # How many arguments are part of the way to the function called (and how many are just *args)
-        offset = -len(currReq.args) or len(currReq.pathlist)
-        path = "/" + "/".join(currReq.pathlist[: offset])
+        offset = -len(currReq.args) or len(currReq.path_list)
+        path = "/" + "/".join(currReq.path_list[: offset])
         if not path in urls:
             # This path (possibly a sub-render) should not be cached
             logging.debug("Not caching for %s" % path)

diff --git a/src/viur/core/module.py b/src/viur/core/module.py
@@ -324,7 +324,7 @@ def describe(self) -> dict:
             ret["skey"] = self.skey["name"]
 
         if self.access:
-            ret["access"] = (str(access) for access in self.access["access"])
+            ret["access"] = [str(access) for access in self.access["access"]]  # must be a list to be JSON-serializable
 
         return ret
 

diff --git a/src/viur/core/modules/user.py b/src/viur/core/modules/user.py
@@ -1073,7 +1073,7 @@ class User(List):
                 "icon": "trash",
                 "access": ["root"],
                 "action": "fetch",
-                "url": "/vi/{{module}}/trigger/kick/{{key}}",
+                "url": "/vi/{{module}}/trigger/kick/{{key}}?skey={{skey}}",
                 "confirm": i18n.translate(
                     key="viur.modules.user.customActions.kick.confirm",
                     defaultText="Do you really want to drop all sessions of the selected user from the system?",
@@ -1092,7 +1092,7 @@ class User(List):
                 "icon": "interface",
                 "access": ["root"],
                 "action": "fetch",
-                "url": "/vi/{{module}}/trigger/takeover/{{key}}",
+                "url": "/vi/{{module}}/trigger/takeover/{{key}}?skey={{skey}}",
                 "confirm": i18n.translate(
                     key="viur.modules.user.customActions.takeover.confirm",
                     defaultText="Do you really want to replace your current user session by a "
@@ -1377,17 +1377,15 @@ def getAuthMethods(self, *args, **kwargs):
         return json.dumps(res)
 
     @exposed
-    def trigger(self, action: str, key: str, skey: str):
+    @skey
+    def trigger(self, action: str, key: str):
         current.request.get().response.headers["Content-Type"] = "application/json"
 
         # Check for provided access right definition (equivalent to client-side check), fallback to root!
         access = self.adminInfo.get("customActions", {}).get(f"trigger_{action}", {}).get("access") or ("root", )
         if not ((cuser := current.user.get()) and any(role in cuser["access"] for role in access)):
             raise errors.Unauthorized()
 
-        if not securitykey.validate(skey, session_bound=True):
-            raise errors.PreconditionFailed()
-
         skel = self.baseSkel()
         if not skel.fromDB(key):
             raise errors.NotFound()