Authorize according to API key (if given) over cookies (#3877)

* remove legacy session identifier support * remove redundant test * redirect to login to support any invalid session identifiers * be more specific with caught errors * use authorization according to api_key (if provided) over session
getredash · Jun 12, 2019 · 2af8b39 · 2af8b39
1 parent 3faed0f
commit 2af8b39
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/redash/authentication/__init__.py b/redash/authentication/__init__.py
@@ -41,6 +41,10 @@ def sign(key, path, expires):
 
 @login_manager.user_loader
 def load_user(user_id_with_identity):
+    user = api_key_load_user_from_request(request)
+    if user:
+        return user
+
     org = current_org._get_current_object()
 
     try:

diff --git a/tests/test_authentication.py b/tests/test_authentication.py
@@ -127,6 +127,19 @@ def test_user_api_key(self):
             self.assertEqual(user.id, hmac_load_user_from_request(request).id)
 
 
+class TestSessionAuthentication(BaseTestCase):
+    def test_prefers_api_key_over_session_user_id(self):
+        user = self.factory.create_user()
+        query = self.factory.create_query(user=user)
+
+        other_org = self.factory.create_org()
+        other_user = self.factory.create_user(org=other_org)
+        models.db.session.flush()
+
+        rv = self.make_request('get', '/api/queries/{}?api_key={}'.format(query.id, query.api_key), user=other_user)
+        self.assertEqual(rv.status_code, 200)
+
+
 class TestCreateAndLoginUser(BaseTestCase):
     def test_logins_valid_user(self):
         user = self.factory.create_user(email=u'test@example.com')