Merge branch 'doc' into 'master'

Doc

See merge request ziirish/burp-ui!83

CHANGELOG.rst

@@ -6,6 +6,7 @@ Current
 
 - **BREAKING**: the *BASIC* `ACL` engine will now grant users on all agents if they are not explicitly defined
 - **BREAKING**: the *Burp1* and *Burp2* configuration sections have been merged into one single *Burp* section
+- **BREAKING**: the *running* backups are now displayed in `green` instead of `blue`
 - Add: new plugins system to allow users to write their own modules
 - Add: `Italian translation <https://git.ziirish.me/ziirish/burp-ui/merge_requests/74>`_ thanks to Enrico
 - Add: `backups deletion <https://git.ziirish.me/ziirish/burp-ui/issues/203>`_

burpui/api/__init__.py

@@ -14,7 +14,7 @@ import uuid
 import hashlib
 import logging
 
-from flask import Blueprint, Response, request, current_app, session
+from flask import Blueprint, Response, request, current_app, session, abort
 from flask_restplus import Api as ApiPlus
 from flask_login import current_user
 from importlib import import_module
@@ -61,7 +61,7 @@ def api_login_required(func):
                 not bui.config.get('LOGIN_DISABLED', False)):
             if not current_user.is_authenticated:
                 if request.headers.get('X-From-UI', False):
-                    return Response('Access denied', 403)
+                    abort(403)
                 return Response(
                     'Could not verify your access level for that URL.\n'
                     'You have to login with proper credentials', 401,
@@ -70,6 +70,25 @@ def api_login_required(func):
     return decorated_view
 
 
+def check_acl(func):
+    """Custom decorator to check if the ACL are in use or not"""
+    @wraps(func)
+    def decorated_view(*args, **kwargs):
+        if request.method in EXEMPT_METHODS:  # pragma: no cover
+            return func(*args, **kwargs)
+        # 'func' is a Flask.view.MethodView so we have access to some special
+        # params
+        cls = func.view_class
+        login_required = getattr(cls, 'login_required', True)
+        if (bui.auth != 'none' and
+                login_required and
+                not bui.config.get('LOGIN_DISABLED', False)):
+            if current_user.is_anonymous:
+                abort(403)
+        return func(*args, **kwargs)
+    return decorated_view
+
+
 class Api(ApiPlus):
     """Wrapper class around :class:`flask_restplus.Api`"""
     logger = logging.getLogger('burp-ui')

burpui/api/misc.py

@@ -242,6 +242,7 @@ class Live(Resource):
                     res.append(data)
         else:
             for client in running:
+                # TODO: fix #242 / add ACL test
                 data = {}
                 data['client'] = client
                 try:

docs/upgrading.rst

@@ -17,9 +17,13 @@ v0.6.0
   granted on both clients on the two agents. You can disable this behavior with
   the `legacy` option. See the `BASIC ACL <advanced_usage.html#basic-acl>`__
   documentation for details.
-- **Breaking**: the *Burp1* and *Burp2* configuration sections have been merged
+- **Breaking** - The *Burp1* and *Burp2* configuration sections have been merged
   into one single *Burp* section. See the
   `Versions <advanced_usage.html#versions>`__ documentation for details.
+- **Breaking** - The *running* backups are now displayed in `green` instead of
+  `blue`.
+- **New** - Plugin system to enhance ACL and Authentication backends. See the
+  `Plugins <plugins.html>`__ documentation for details.
 - **New** - WebSocket support for better/smarter notifications.
 
 v0.5.0

requirements.txt

@@ -1,4 +1,4 @@
-Flask==0.12
+Flask==0.12.2
 Flask-Login==0.4.0
 Flask-Bower==1.3.0
 Flask-Babel==0.11.2