Added missing permissions on API endpoints

modoboa/admin/api/v1/viewsets.py

@@ -93,7 +93,6 @@ def get_throttles(self):
         throttles = super().get_throttles()
         if self.action == "reset_password":
             throttles.append(PasswordResetRequestThrottle())
-
         return throttles
 
     def get_serializer_class(self):

modoboa/core/api/v2/views.py

@@ -9,15 +9,19 @@
 from django.contrib.auth import login
 
 from drf_spectacular.utils import extend_schema
-from rest_framework import response, status
+from rest_framework import permissions, response, status
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework_simplejwt import views as jwt_views
 from rest_framework_simplejwt.exceptions import InvalidToken
 from rest_framework.views import APIView
 
 from modoboa.core.password_hashers import get_password_hasher
 from modoboa.core.utils import check_for_updates
-from modoboa.lib.throttle import UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, PasswordResetRequestThrottle, PasswordResetTotpThrottle
+from modoboa.lib.permissions import IsSuperUser
+from modoboa.lib.throttle import (
+    UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle,
+    PasswordResetRequestThrottle, PasswordResetTotpThrottle
+)
 from modoboa.parameters import tools as param_tools
 
 from smtplib import SMTPException
@@ -192,6 +196,7 @@ def post(self, request, *args, **kwargs):
 class ComponentsInformationAPIView(APIView):
     """Retrieve information about installed components."""
 
+    permission_classes = [permissions.IsAuthenticated, IsSuperUser]
     throttle_classes = [UserLesserDdosUser]
 
     @extend_schema(responses=serializers.ModoboaComponentSerializer(many=True))

modoboa/lib/permissions.py

@@ -3,6 +3,8 @@
 from django.contrib.auth.models import Group, Permission
 from django.contrib.contenttypes.models import ContentType
 
+from rest_framework import permissions
+
 from modoboa.core import constants as core_constants, signals as core_signals
 from modoboa.core.models import ObjectAccess, User
 
@@ -150,3 +152,10 @@ def add_permissions_to_group(group, permissions):
         group.permissions.add(
             Permission.objects.get(content_type=ct, codename=permname)
         )
+
+
+class IsSuperUser(permissions.BasePermission):
+    """Permission class to allow only super users."""
+
+    def has_permission(self, request, view):
+        return request.user.is_superuser

modoboa/parameters/api/v2/viewsets.py

@@ -1,9 +1,10 @@
 """Parameters viewsets."""
 
 from drf_spectacular.utils import extend_schema, OpenApiParameter
-from rest_framework import response, viewsets
+from rest_framework import permissions, response, viewsets
 from rest_framework.decorators import action
 
+from modoboa.lib.permissions import IsSuperUser
 from modoboa.lib.throttle import GetThrottleViewsetMixin
 
 from . import serializers
@@ -14,6 +15,7 @@ class ParametersViewSet(GetThrottleViewsetMixin, viewsets.ViewSet):
     """Parameter viewset."""
 
     lookup_value_regex = r"\w+"
+    permission_classes = [permissions.IsAuthenticated, IsSuperUser]
     serializer_class = None
 
     @extend_schema(responses=serializers.ApplicationSerializer(many=True))