diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 753817d0..114e7fcf 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,7 @@ Current - **BREAKING**: the *BASIC* `ACL` engine will now grant users on all agents if they are not explicitly defined - **BREAKING**: the *Burp1* and *Burp2* configuration sections have been merged into one single *Burp* section +- **BREAKING**: the *running* backups are now displayed in `green` instead of `blue` - Add: new plugins system to allow users to write their own modules - Add: `Italian translation `_ thanks to Enrico - Add: `backups deletion `_ diff --git a/burpui/api/__init__.py b/burpui/api/__init__.py index 34ee4c8e..650f7e85 100644 --- a/burpui/api/__init__.py +++ b/burpui/api/__init__.py @@ -14,7 +14,7 @@ import uuid import hashlib import logging -from flask import Blueprint, Response, request, current_app, session +from flask import Blueprint, Response, request, current_app, session, abort from flask_restplus import Api as ApiPlus from flask_login import current_user from importlib import import_module @@ -61,7 +61,7 @@ def api_login_required(func): not bui.config.get('LOGIN_DISABLED', False)): if not current_user.is_authenticated: if request.headers.get('X-From-UI', False): - return Response('Access denied', 403) + abort(403) return Response( 'Could not verify your access level for that URL.\n' 'You have to login with proper credentials', 401, @@ -70,6 +70,25 @@ def api_login_required(func): return decorated_view +def check_acl(func): + """Custom decorator to check if the ACL are in use or not""" + @wraps(func) + def decorated_view(*args, **kwargs): + if request.method in EXEMPT_METHODS: # pragma: no cover + return func(*args, **kwargs) + # 'func' is a Flask.view.MethodView so we have access to some special + # params + cls = func.view_class + login_required = getattr(cls, 'login_required', True) + if (bui.auth != 'none' and + login_required and + not bui.config.get('LOGIN_DISABLED', False)): + if current_user.is_anonymous: + abort(403) + return func(*args, **kwargs) + return decorated_view + + class Api(ApiPlus): """Wrapper class around :class:`flask_restplus.Api`""" logger = logging.getLogger('burp-ui') diff --git a/burpui/api/misc.py b/burpui/api/misc.py index 4eeb6ae7..b7474373 100644 --- a/burpui/api/misc.py +++ b/burpui/api/misc.py @@ -242,6 +242,7 @@ class Live(Resource): res.append(data) else: for client in running: + # TODO: fix #242 / add ACL test data = {} data['client'] = client try: diff --git a/docs/upgrading.rst b/docs/upgrading.rst index 7b507f72..dc3f8de4 100644 --- a/docs/upgrading.rst +++ b/docs/upgrading.rst @@ -17,9 +17,13 @@ v0.6.0 granted on both clients on the two agents. You can disable this behavior with the `legacy` option. See the `BASIC ACL `__ documentation for details. -- **Breaking**: the *Burp1* and *Burp2* configuration sections have been merged +- **Breaking** - The *Burp1* and *Burp2* configuration sections have been merged into one single *Burp* section. See the `Versions `__ documentation for details. +- **Breaking** - The *running* backups are now displayed in `green` instead of + `blue`. +- **New** - Plugin system to enhance ACL and Authentication backends. See the + `Plugins `__ documentation for details. - **New** - WebSocket support for better/smarter notifications. v0.5.0 diff --git a/requirements.txt b/requirements.txt index c7cca198..d04289b9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -Flask==0.12 +Flask==0.12.2 Flask-Login==0.4.0 Flask-Bower==1.3.0 Flask-Babel==0.11.2