3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

authorization: refactor user delete API 

It is now possible for any authorized request to delete a user, however a logged in user cannot delete its own account.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Arksine 2021-05-14 11:47:56 -04:00
parent 490e66fe07
commit 2ba85533c2
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
moonraker/components/authorization.py
View File

@ -302,19 +302,19 @@ class Authorization:
} }
def _delete_jwt_user(self, web_request): def _delete_jwt_user(self, web_request):
password = web_request.get_str('password') username = web_request.get_str('username')
user_info = web_request.get_current_user() current_user = web_request.get_current_user()
if user_info is None: if current_user is not None:
raise self.server.error("No Current User") curname = current_user.get('username', None)
username = user_info['username'] if curname is not None and curname == username:
raise self.server.error(
f"Cannot delete logged in user {curname}")
if username in RESERVED_USERS: if username in RESERVED_USERS:
raise self.server.error( raise self.server.error(
f"Invalid request for user {username}") f"Invalid Request for reserved user {username}")
salt = bytes.fromhex(user_info['salt']) user_info = self.users.get(username)
hashed_pass = hashlib.pbkdf2_hmac( if user_info is None:
'sha256', password.encode(), salt, HASH_ITER).hex() raise self.server.error(f"No registered user: {username}")
if hashed_pass != user_info['password']:
raise self.server.error("Invalid Password")
del self.users[username] del self.users[username]
IOLoop.current().call_later( IOLoop.current().call_later(
.005, self.server.send_event, .005, self.server.send_event,