You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The visu tree management UI and API previously allowed any authenticated user or API key to perform destructive and privilege-changing operations, enabling privilege escalation of low‑privileged accounts.
Server-side enforcement of admin privileges is required to prevent non-admin users from creating, updating, moving, deleting, or changing access/PINs of visu nodes.
Description
Require get_admin_user (admin-only) for visu write/mutation endpoints in obs/api/v1/visu.py instead of get_current_user to enforce server-side authorization.
Endpoints now requiring admin are: POST /visu/nodes/import, POST /visu/nodes, PATCH /visu/nodes/{node_id}, DELETE /visu/nodes/{node_id}, POST /visu/nodes/{node_id}/copy, PUT /visu/nodes/{node_id}/move, and PUT /visu/pages/{node_id} as implemented in obs/api/v1/visu.py.
The read/export behavior for GET /visu/nodes/{node_id}/export was left using get_current_user to preserve existing non-admin read/export functionality.
The change is minimal and focused on dependency injection for authorization checks so existing behavior and API shapes are preserved except for requiring admin on write paths.
Testing
python -m py_compile obs/api/v1/visu.py was run and succeeded indicating the module is syntactically valid.
Running pytest -q tests/integration/test_auth.py could not complete in this environment due to a missing test dependency (pytest_asyncio).
Dieser PR würde die Visu-Mutationsendpunkte von get_current_user auf get_admin_user umstellen. Damit würde eine bisher mögliche Privilegienausweitung geschlossen: Authentifizierte Nicht-Admin-User könnten dann keine Visu-Struktur, Access/PINs oder Page-Configs mehr verändern.
Konkrete Projektfolgen:
Sicherheitsgewinn
Nicht-Admin-User (JWT) würden auf die betroffenen Write-Routen konsistent 403 erhalten statt Änderungen durchführen zu können.
Möglicher Breaking Change für Automationen mit API-Key
Bestehende API-Key-basierte Workflows für Visu-Mutationen würden voraussichtlich ebenfalls 403 erhalten, weil die Admin-Prüfung auf users.is_admin basiert, API-Keys aktuell aber nicht sauber als Admin-Identität aufgelöst werden.
Unverändertes Read-Verhalten GET /visu/nodes/{id}/exportwürde weiterhin für authentifizierte Non-Admin-User verfügbar bleiben (wie im PR beabsichtigt).
Testabdeckung
Es gibt derzeit keine expliziten Non-Admin-403-Regressionstests für alle neu geschützten Routen; ohne solche Tests würde das Risiko steigen, dass die Schutzwirkung später unbemerkt wieder aufgeweicht wird.
Implikation für die anstehende Teamentscheidung zu Berechtigungen:
Dieser PR würde die Policy faktisch auf „Visu-Mutationen nur Admin“ festlegen. Falls das Team stattdessen ein feineres Modell (z. B. delegierbare Rechte pro Bereich/Rolle) anstrebt, würde diese Änderung als kurzfristiger Sicherheits-Hotfix taugen, aber mittelfristig durch ein differenziertes Autorisierungskonzept ersetzt werden müssen.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Description
get_admin_user(admin-only) for visu write/mutation endpoints inobs/api/v1/visu.pyinstead ofget_current_userto enforce server-side authorization.POST /visu/nodes/import,POST /visu/nodes,PATCH /visu/nodes/{node_id},DELETE /visu/nodes/{node_id},POST /visu/nodes/{node_id}/copy,PUT /visu/nodes/{node_id}/move, andPUT /visu/pages/{node_id}as implemented inobs/api/v1/visu.py.GET /visu/nodes/{node_id}/exportwas left usingget_current_userto preserve existing non-admin read/export functionality.Testing
python -m py_compile obs/api/v1/visu.pywas run and succeeded indicating the module is syntactically valid.pytest -q tests/integration/test_auth.pycould not complete in this environment due to a missing test dependency (pytest_asyncio).Codex Task