[bug] disallow all requests to "user-{uuid}/"

author: drebs <drebs@leap.se> 2016-12-18 12:56:21 -0200
committer: Kali Kaneko <kali@leap.se> 2017-02-09 17:41:33 +0100
commit: a39af0e003ba95c9b7ab554aa4a4c5ce316a43c7 (patch)
tree: 1f7bb3b42724f3646af6ebe77509a70a924a5963
parent: db7607768310c9f9993d771cf1951d396be2554b (diff)
2 files changed, 6 insertions, 13 deletions
diff --git a/server/src/leap/soledad/server/auth.py b/server/src/leap/soledad/server/auth.py
index b0764569..f3d9c8a8 100644
--- a/server/src/leap/soledad/server/auth.py
+++ b/server/src/leap/soledad/server/auth.py
@@ -100,7 +100,7 @@ class URLToAuthorization(object):
             /shared-db/docs               | -
             /shared-db/doc/{any_id}       | GET, PUT, DELETE
             /shared-db/sync-from/{source} | -
-            /user-db                      | GET, PUT, DELETE
+            /user-db                      | -
             /user-db/docs                 | -
             /user-db/doc/{id}             | -
             /user-db/sync-from/{source}   | GET, PUT, POST
@@ -108,19 +108,12 @@ class URLToAuthorization(object):
         # auth info for global resource
         self._register('/', [self.HTTP_METHOD_GET])
         # auth info for shared-db database resource
-        self._register(
-            '/%s' % SHARED_DB_NAME,
-            [self.HTTP_METHOD_GET])
+        self._register('/%s' % SHARED_DB_NAME, [self.HTTP_METHOD_GET])
         # auth info for shared-db doc resource
         self._register(
             '/%s/doc/{id:.*}' % SHARED_DB_NAME,
             [self.HTTP_METHOD_GET, self.HTTP_METHOD_PUT,
              self.HTTP_METHOD_DELETE])
-        # auth info for user-db database resource
-        self._register(
-            '/%s' % self._user_db_name,
-            [self.HTTP_METHOD_GET, self.HTTP_METHOD_PUT,
-             self.HTTP_METHOD_DELETE])
         # auth info for user-db sync resource
         self._register(
             '/%s/sync-from/{source_replica_uid}' % self._user_db_name,
diff --git a/testing/tests/server/test_server.py b/testing/tests/server/test_server.py
index 6710caaf..cae2e75c 100644
--- a/testing/tests/server/test_server.py
+++ b/testing/tests/server/test_server.py
@@ -110,7 +110,7 @@ class ServerAuthorizationTestCase(BaseSoledadTest):
             /shared-db/docs               | -
             /shared-db/doc/{id}           | GET, PUT, DELETE
             /shared-db/sync-from/{source} | -
-            /user-db                      | GET, PUT, DELETE
+            /user-db                      | -
             /user-db/docs                 | -
             /user-db/doc/{id}             | -
             /user-db/sync-from/{source}   | GET, PUT, POST
@@ -174,13 +174,13 @@ class ServerAuthorizationTestCase(BaseSoledadTest):
             authmap.is_authorized(
                 self._make_environ('/shared/sync-from/x', 'POST')))
         # test user-db database resource auth
-        self.assertTrue(
+        self.assertFalse(
             authmap.is_authorized(
                 self._make_environ('/%s' % dbname, 'GET')))
-        self.assertTrue(
+        self.assertFalse(
             authmap.is_authorized(
                 self._make_environ('/%s' % dbname, 'PUT')))
-        self.assertTrue(
+        self.assertFalse(
             authmap.is_authorized(
                 self._make_environ('/%s' % dbname, 'DELETE')))
         self.assertFalse(
author	drebs <drebs@leap.se>	2016-12-18 12:56:21 -0200
committer	Kali Kaneko <kali@leap.se>	2017-02-09 17:41:33 +0100
commit	a39af0e003ba95c9b7ab554aa4a4c5ce316a43c7 (patch)
tree	1f7bb3b42724f3646af6ebe77509a70a924a5963
parent	db7607768310c9f9993d771cf1951d396be2554b (diff)