From 21c23c276f3009039950bcbb209f26c33b59ff56 Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Thu, 27 Jun 2019 12:20:58 +0100 Subject: [PATCH] Fix a bug were the user_has_permission. This is an immediate fix to add the permission checks to the callback page. However, we have a plan to add a unit test to check for permission introspectively for all routes that have service_id. --- app/main/views/api_keys.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/main/views/api_keys.py b/app/main/views/api_keys.py index 91d87c163..f6f75549c 100644 --- a/app/main/views/api_keys.py +++ b/app/main/views/api_keys.py @@ -169,6 +169,7 @@ def check_token_against_dummy_bearer(token): @main.route("/services//api/callbacks", methods=['GET']) @login_required +@user_has_permissions('manage_api_keys') def api_callbacks(service_id): if not current_service.has_permission('inbound_sms'): return redirect(url_for('.delivery_status_callback', service_id=service_id)) @@ -193,6 +194,7 @@ def get_delivery_status_callback_details(): @main.route("/services//api/callbacks/delivery-status-callback", methods=['GET', 'POST']) @login_required +@user_has_permissions('manage_api_keys') def delivery_status_callback(service_id): delivery_status_callback = get_delivery_status_callback_details() back_link = ( @@ -255,6 +257,7 @@ def get_received_text_messages_callback(): @main.route("/services//api/callbacks/received-text-messages-callback", methods=['GET', 'POST']) @login_required +@user_has_permissions('manage_api_keys') def received_text_messages_callback(service_id): if not current_service.has_permission('inbound_sms'): return redirect(url_for('.api_integration', service_id=service_id))