Skip to content

Commit fb2b59d

Browse files
yogeshojhayogeshojha
committed
Add permission checks for various API views to enhance security
1 parent 1a9f307 commit fb2b59d

File tree

1 file changed

+33
-0
lines changed

1 file changed

+33
-0
lines changed

web/api/views.py

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -333,6 +333,9 @@ def clear_all(self, request):
333333

334334

335335
class OllamaManager(APIView):
336+
permission_classes = [HasPermission]
337+
permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
338+
336339
def get(self, request):
337340
"""
338341
API to download Ollama Models
@@ -918,6 +921,9 @@ def post(self, request):
918921

919922

920923
class AddTarget(APIView):
924+
permission_classes = [HasPermission]
925+
permission_required = PERM_MODIFY_TARGETS
926+
921927
def post(self, request):
922928
req = self.request
923929
data = req.data
@@ -1053,6 +1059,9 @@ def post(self, request):
10531059

10541060

10551061
class DeleteMultipleRows(APIView):
1062+
permission_classes = [HasPermission]
1063+
permission_required = PERM_MODIFY_TARGETS
1064+
10561065
def post(self, request):
10571066
req = self.request
10581067
data = req.data
@@ -1072,6 +1081,9 @@ def post(self, request):
10721081

10731082

10741083
class StopScan(APIView):
1084+
permission_classes = [HasPermission]
1085+
permission_required = PERM_INITATE_SCANS_SUBSCANS
1086+
10751087
def post(self, request):
10761088
req = self.request
10771089
data = req.data
@@ -1169,6 +1181,9 @@ def abort_subscan(subscan):
11691181

11701182

11711183
class InitiateSubTask(APIView):
1184+
permission_classes = [HasPermission]
1185+
permission_required = PERM_INITATE_SCANS_SUBSCANS
1186+
11721187
def post(self, request):
11731188
req = self.request
11741189
data = req.data
@@ -1188,6 +1203,9 @@ def post(self, request):
11881203

11891204

11901205
class DeleteSubdomain(APIView):
1206+
permission_classes = [HasPermission]
1207+
permission_required = PERM_MODIFY_SCAN_RESULTS
1208+
11911209
def post(self, request):
11921210
req = self.request
11931211
for id in req.data['subdomain_ids']:
@@ -1196,6 +1214,9 @@ def post(self, request):
11961214

11971215

11981216
class DeleteVulnerability(APIView):
1217+
permission_classes = [HasPermission]
1218+
permission_required = PERM_MODIFY_SCAN_RESULTS
1219+
11991220
def post(self, request):
12001221
req = self.request
12011222
for id in req.data['vulnerability_ids']:
@@ -1265,6 +1286,9 @@ def get(self, request):
12651286

12661287

12671288
class UninstallTool(APIView):
1289+
permission_classes = [HasPermission]
1290+
permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
1291+
12681292
def get(self, request):
12691293
req = self.request
12701294
tool_id = req.query_params.get('tool_id')
@@ -1303,6 +1327,9 @@ def get(self, request):
13031327

13041328

13051329
class UpdateTool(APIView):
1330+
permission_classes = [HasPermission]
1331+
permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
1332+
13061333
def get(self, request):
13071334
req = self.request
13081335
tool_id = req.query_params.get('tool_id')
@@ -1335,6 +1362,9 @@ def get(self, request):
13351362
return Response({'status': False, 'message': str(e)})
13361363

13371364
class GetExternalToolCurrentVersion(APIView):
1365+
permission_classes = [HasPermission]
1366+
permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
1367+
13381368
def get(self, request):
13391369
req = self.request
13401370
# toolname is also the command
@@ -1371,6 +1401,9 @@ def get(self, request):
13711401

13721402

13731403
class GithubToolCheckGetLatestRelease(APIView):
1404+
permission_classes = [HasPermission]
1405+
permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
1406+
13741407
def get(self, request):
13751408
req = self.request
13761409

0 commit comments

Comments
 (0)