fix: Stripe publishable key should be accessible to non-admin user #6277
Conversation
Codecov Report
@@ Coverage Diff @@
## development #6277 +/- ##
===============================================
- Coverage 65.57% 65.54% -0.04%
===============================================
Files 286 286
Lines 14567 14588 +21
===============================================
+ Hits 9552 9561 +9
- Misses 5015 5027 +12
Continue to review full report at Codecov.
|
|
StripeAuthorizationSchema may contain other sensitive keys as well? Or is it just public key |
|
stripe_auth_code (the other field in stripeAuhorizarion schema) has load_only=true, hence is never serialized in a GET request.
It contains an authcode, but that field is write only.
|
|
Still, it should not be shown to any user. Instead, StripeAuthorizationPublicSchema should be made which only includes public keys |
|
|
||
| stripe_auth_code = fields.Str(load_only=True, required=True) | ||
|
|
||
|
|
|
@iamareebjamal done. |
| decorators = (api.has_permission('is_coorganizer', fetch="event_id", | ||
| fetch_as="event_id", model=StripeAuthorization),) |
There was a problem hiding this comment.
fossasia/open-event-frontend#3523 is happening due to this. The endpoint is /v1/stripe-authorizations, there is no event_id in view kwargs and hence it fails everytime it is accessed
There was a problem hiding this comment.
@CosmicCoder96 Can this be removed or was it added for a specific reason. I can't see how it will work for /v1/stripe-authorizations endpoint. Maybe it is used in some other relations. Please clarify so that we don't break something else when removing this
There was a problem hiding this comment.
@iamareebjamal It should be removed. Won't affect FE.
|
@kushthedude @codedsun Please handle this ASAP |
|
@iamareebjamal Do i have to remove the decorators? |
|
Yes |
|
Sending a pr! |
|
You have to test too if decorator is the issue or not.
…On Wed, 27 Nov, 2019, 22:11 Suneet Srivastava, ***@***.***> wrote:
Sending a pr!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6277?email_source=notifications&email_token=AKQMTLUHHFI3AZIKWU5L5LTQV2PKNA5CNFSM4IIIT3N2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFKCZNI#issuecomment-559164597>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKQMTLXTQ3QT5TESMSTAEBTQV2PKNANCNFSM4IIIT3NQ>
.
|
|
@kushthedude- @iamareebjamal has confirmed in the issue #6277 (comment) |
5 participants
Fixes #6276
Short description of what this resolves:
Moves the stripe authorization relationship from EventSchema to EventPublicSchema, as normal users need publishable keys.
Use proper decorators for GET and POST requests in stripeAuhorizarion API.
stripe_auth_code(the other field in stripeAuhorizarion schema) hasload_only=true, hence is never serialized in a GET request.