Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWX oauth2 provider /user/:pk/personal_tokens/ always returns tokens for the current user regardless of the specified PK #15159

Open
5 of 11 tasks
relrod opened this issue May 1, 2024 · 3 comments
Open
5 of 11 tasks

AWX oauth2 provider /user/:pk/personal_tokens/ always returns tokens for the current user regardless of the specified PK #15159

relrod opened this issue May 1, 2024 · 3 comments
Assignees
@TheRealHaoLiu
Labels
component:api type:bug

Comments

@relrod
Copy link
Member

relrod commented May 1, 2024
edited

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that AWX is open source software provided for free and that I might not receive a timely response.
  • I am NOT reporting a (potential) security vulnerability. (These should be emailed to [email protected] instead.)

Bug Summary

Found this while reading the code working on the DAB oauth implementation.

AWX version

devel

Select the relevant components

  • UI
  • UI (tech preview)
  • API
  • Docs
  • Collection
  • CLI
  • Other

Installation method

N/A

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

  • Have a user which sets up some personal access tokens (i.e. oauth2 tokens with a null FK to Application)
  • As the user go to /api/v2/users/PK/personal_tokens/
  • Or as an admin go to a/pi/v2/users/PK/personal_tokens/ and you'll see the admin's tokens instead

Expected results

The user with the given PK's tokens (if I have permission to see them)

Actual results

My own tokens

Additional information

No response
@relrod
Copy link
Member Author

relrod commented May 1, 2024 

class UserPersonalTokenList(SubListCreateAPIView):
    # [...]

    def get_queryset(self):
        return get_access_token_model().objects.filter(application__isnull=True, user=self.request.user)

We filter on the request user always, even though the route allows for a PK.

@TheRealHaoLiu
Copy link
Member

assigned to @relrod

@relrod relrod assigned TheRealHaoLiu and unassigned relrod May 15, 2024
@relrod
Copy link
Member Author

relrod commented May 15, 2024

assigned to @TheRealHaoLiu 🤣

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheRealHaoLiu TheRealHaoLiu

Labels
component:api type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@relrod @TheRealHaoLiu