FIX: SECURITY - disable broken API

app/api/auth.py

@@ -30,6 +30,8 @@ from functools import wraps
 from flask import abort
 from flask import g
 from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth
+
+from app import log
 from app.auth.models import User
 from app.api.errors import error_response
 
@@ -71,10 +73,15 @@ def token_permission_required(permission):
     def decorator(f):
         @wraps(f)
         def decorated_function(*args, **kwargs):
+            abort(501)
             scodoc_dept = getattr(g, "scodoc_dept", None)
-            if hasattr(g, "current_user") and not g.current_user.has_permission(
+            if not hasattr(g, "current_user") or not g.current_user.has_permission(
                 permission, scodoc_dept
             ):
+                if hasattr(g, "current_user"):
+                    log(f"API permission denied (user {g.current_user})")
+                else:
+                    log(f"API permission denied (no user supplied)")
                 abort(403)
             return f(*args, **kwargs)
 

app/api/tokens.py

@@ -1,5 +1,5 @@
 from flask import jsonify
-from app import db
+from app import db, log
 from app.api import bp
 from app.api.auth import basic_auth, token_auth
 
@@ -8,6 +8,7 @@ from app.api.auth import basic_auth, token_auth
 @basic_auth.login_required
 def get_token():
     token = basic_auth.current_user().get_token()
+    log(f"API: giving token to {basic_auth.current_user()}")
     db.session.commit()
     return jsonify({"token": token})
 

sco_version.py

@@ -1,7 +1,7 @@
 # -*- mode: python -*-
 # -*- coding: utf-8 -*-
 
-SCOVERSION = "9.2.15"
+SCOVERSION = "9.2.16"
 
 SCONAME = "ScoDoc"