Skip to content

fix: Stripe publishable key should be accessible to non-admin user #6277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 31, 2019
Merged

fix: Stripe publishable key should be accessible to non-admin user #6277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions app/api/schema/events.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,13 @@ def validate_timezone(self, data, original_data):
schema='UserSchemaPublic',
type_='user',
many=True)
stripe_authorization = Relationship(attribute='stripe_authorization',
self_view='v1.stripe_authorization_event',
self_view_kwargs={'id': '<id>'},
related_view='v1.stripe_authorization_detail',
related_view_kwargs={'event_id': '<id>'},
schema='StripeAuthorizationSchema',
type_='stripe-authorization')


class EventSchema(EventSchemaPublic):
Expand Down Expand Up @@ -355,10 +362,3 @@ class Meta:
schema='AttendeeSchema',
many=True,
type_='attendee')
stripe_authorization = Relationship(attribute='stripe_authorization',
self_view='v1.stripe_authorization_event',
self_view_kwargs={'id': '<id>'},
related_view='v1.stripe_authorization_detail',
related_view_kwargs={'event_id': '<id>'},
schema='StripeAuthorizationSchema',
type_='stripe-authorization')
22 changes: 20 additions & 2 deletions app/api/schema/stripe_authorization.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
from app.api.schema.base import SoftDeletionSchema


class StripeAuthorizationSchema(SoftDeletionSchema):
class StripeAuthorizationSchemaPublic(SoftDeletionSchema):
"""
Stripe Authorization Schema
"""
Expand All @@ -21,7 +21,6 @@ class Meta:

id = fields.Str(dump_only=True)
stripe_publishable_key = fields.Str(dump_only=True)
stripe_auth_code = fields.Str(load_only=True, required=True)

event = Relationship(attribute='event',
self_view='v1.stripe_authorization_event',
Expand All @@ -30,3 +29,22 @@ class Meta:
related_view_kwargs={'stripe_authorization_id': '<id>'},
schema="EventSchema",
type_='event')


class StripeAuthorizationSchema(StripeAuthorizationSchemaPublic):
"""
Stripe Authorization Schema
"""

class Meta:
"""
Meta class for StripeAuthorization Api Schema
"""
type_ = 'stripe-authorization'
self_view = 'v1.stripe_authorization_detail'
self_view_kwargs = {'id': '<id>'}
inflect = dasherize

stripe_auth_code = fields.Str(load_only=True, required=True)


Copy link

@houndci-bot houndci-bot Jul 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blank line at end of file

44 changes: 38 additions & 6 deletions app/api/stripe_authorization.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,14 @@
from sqlalchemy.orm.exc import NoResultFound

from app.api.bootstrap import api
from flask import request
from app.api.helpers.db import safe_query, get_count, save_to_db
from app.api.helpers.exceptions import ForbiddenException, ConflictException, UnprocessableEntity
from app.api.helpers.payment import StripePaymentsManager
from app.api.helpers.permission_manager import has_access
from app.api.helpers.permissions import jwt_required
from app.api.helpers.utilities import require_relationship
from app.api.schema.stripe_authorization import StripeAuthorizationSchema
from app.api.schema.stripe_authorization import StripeAuthorizationSchema, StripeAuthorizationSchemaPublic
from app.models import db
from app.models.event import Event
from app.models.stripe_authorization import StripeAuthorization
Expand Down Expand Up @@ -69,7 +70,8 @@ def after_create_object(self, stripe_authorization, data, view_kwargs):
save_to_db(event)

schema = StripeAuthorizationSchema
decorators = (jwt_required, )
decorators = (api.has_permission('is_coorganizer', fetch="event_id",
fetch_as="event_id", model=StripeAuthorization),)
Comment on lines +73 to +74
Copy link
Member

@iamareebjamal iamareebjamal Nov 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fossasia/open-event-frontend#3523 is happening due to this. The endpoint is /v1/stripe-authorizations, there is no event_id in view kwargs and hence it fails everytime it is accessed

Copy link
Member

@iamareebjamal iamareebjamal Nov 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CosmicCoder96 Can this be removed or was it added for a specific reason. I can't see how it will work for /v1/stripe-authorizations endpoint. Maybe it is used in some other relations. Please clarify so that we don't break something else when removing this

Copy link
Contributor Author

@abhinavk96 abhinavk96 Nov 27, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iamareebjamal It should be removed. Won't affect FE.

methods = ['POST']
data_layer = {'session': db.session,
'model': StripeAuthorization,
Expand All @@ -83,6 +85,20 @@ class StripeAuthorizationDetail(ResourceDetail):
"""
Stripe Authorization Detail Resource by ID
"""

def before_get(self, args, kwargs):
"""
method for assigning schema based on access
:param args:
:param kwargs:
:return:
"""
kwargs = get_id(kwargs)
if 'Authorization' in request.headers and has_access('is_coorganizer', event_id=kwargs['id']):
self.schema = StripeAuthorizationSchema
else:
self.schema = StripeAuthorizationSchemaPublic

def before_get_object(self, view_kwargs):
"""
method to get id of stripe authorization related to an event
Expand All @@ -107,8 +123,7 @@ def after_delete_object(self, stripe_authorization, view_kwargs):
event.is_stripe_linked = False
save_to_db(event)

decorators = (api.has_permission('is_coorganizer', fetch="event_id",
fetch_as="event_id", model=StripeAuthorization),)
decorators = (jwt_required,)
schema = StripeAuthorizationSchema
data_layer = {'session': db.session,
'model': StripeAuthorization,
Expand All @@ -123,8 +138,25 @@ class StripeAuthorizationRelationship(ResourceDetail):
Stripe Authorization Relationship
"""

decorators = (api.has_permission('is_coorganizer', fetch="event_id",
fetch_as="event_id", model=StripeAuthorization),)
decorators = (jwt_required,)
schema = StripeAuthorizationSchema
data_layer = {'session': db.session,
'model': StripeAuthorization}


def get_id(view_kwargs):
"""
method to get the resource id for fetching details
:param view_kwargs:
:return:
"""

if view_kwargs.get('event_identifier') is not None:
event = safe_query(db, Event, 'identifier', view_kwargs['event_identifier'], 'event_identifier')
if event.id is not None:
view_kwargs['event_id'] = event.id

if view_kwargs.get('event_id') is not None:
stripe_authorization = safe_query(db, StripeAuthorization, 'event_id', view_kwargs['event_id'], 'event_id')
view_kwargs['id'] = stripe_authorization.id
return view_kwargs