From d56b7b9a583ae3b95a7b12ebc384e073c2e2fcd9 Mon Sep 17 00:00:00 2001 From: Leo Hemsted Date: Fri, 9 Dec 2016 15:44:58 +0000 Subject: [PATCH] block inactive services from making stateful changes in the NotifyAdminAPIClient, which all api traffic goes through, return 403 for any stateful requests (post, put and delete), if the following criteria have been met: * a current_service is set (this prevents checks being carried out on non-service related updates, eg editing user details) * the service is not active * the current user is not a platform admin so platform admins can still update anything. Note: Without any specific error handling, the user will see a generic 403 page. This is fine, probably - it's a relatively niche case that you'll be editing a service you can't get to anyway --- app/notify_client/__init__.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/app/notify_client/__init__.py b/app/notify_client/__init__.py index b4d1c02e0..fb0cb7f19 100644 --- a/app/notify_client/__init__.py +++ b/app/notify_client/__init__.py @@ -34,13 +34,9 @@ class NotifyAdminAPIClient(BaseAPIClient): # if the current service is inactive and the user isn't a platform admin, we should block them from making any # stateful modifications to that service - print('\n\n\n') - print(current_service) - print(current_user) if current_service and not current_service['active'] and not current_user.platform_admin: abort(403) - def post(self, *args, **kwargs): self.check_inactive_service() return super().post(*args, **kwargs)