diff --git a/modoboa/admin/api/v1/viewsets.py b/modoboa/admin/api/v1/viewsets.py index e79fa97fd..2c60701ed 100644 --- a/modoboa/admin/api/v1/viewsets.py +++ b/modoboa/admin/api/v1/viewsets.py @@ -93,7 +93,6 @@ def get_throttles(self): throttles = super().get_throttles() if self.action == "reset_password": throttles.append(PasswordResetRequestThrottle()) - return throttles def get_serializer_class(self): diff --git a/modoboa/core/api/v2/views.py b/modoboa/core/api/v2/views.py index c8c7ac8d8..32e07c503 100644 --- a/modoboa/core/api/v2/views.py +++ b/modoboa/core/api/v2/views.py @@ -9,7 +9,7 @@ from django.contrib.auth import login from drf_spectacular.utils import extend_schema -from rest_framework import response, status +from rest_framework import permissions, response, status from rest_framework.exceptions import AuthenticationFailed from rest_framework_simplejwt import views as jwt_views from rest_framework_simplejwt.exceptions import InvalidToken @@ -17,7 +17,11 @@ from modoboa.core.password_hashers import get_password_hasher from modoboa.core.utils import check_for_updates -from modoboa.lib.throttle import UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, PasswordResetRequestThrottle, PasswordResetTotpThrottle +from modoboa.lib.permissions import IsSuperUser +from modoboa.lib.throttle import ( + UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, + PasswordResetRequestThrottle, PasswordResetTotpThrottle +) from modoboa.parameters import tools as param_tools from smtplib import SMTPException @@ -192,6 +196,7 @@ def post(self, request, *args, **kwargs): class ComponentsInformationAPIView(APIView): """Retrieve information about installed components.""" + permission_classes = [permissions.IsAuthenticated, IsSuperUser] throttle_classes = [UserLesserDdosUser] @extend_schema(responses=serializers.ModoboaComponentSerializer(many=True)) diff --git a/modoboa/lib/permissions.py b/modoboa/lib/permissions.py index 5f7d27af6..2c5efb4bb 100644 --- a/modoboa/lib/permissions.py +++ b/modoboa/lib/permissions.py @@ -3,6 +3,8 @@ from django.contrib.auth.models import Group, Permission from django.contrib.contenttypes.models import ContentType +from rest_framework import permissions + from modoboa.core import constants as core_constants, signals as core_signals from modoboa.core.models import ObjectAccess, User @@ -150,3 +152,10 @@ def add_permissions_to_group(group, permissions): group.permissions.add( Permission.objects.get(content_type=ct, codename=permname) ) + + +class IsSuperUser(permissions.BasePermission): + """Permission class to allow only super users.""" + + def has_permission(self, request, view): + return request.user.is_superuser diff --git a/modoboa/parameters/api/v2/viewsets.py b/modoboa/parameters/api/v2/viewsets.py index 84b087029..3a670f02f 100644 --- a/modoboa/parameters/api/v2/viewsets.py +++ b/modoboa/parameters/api/v2/viewsets.py @@ -1,9 +1,10 @@ """Parameters viewsets.""" from drf_spectacular.utils import extend_schema, OpenApiParameter -from rest_framework import response, viewsets +from rest_framework import permissions, response, viewsets from rest_framework.decorators import action +from modoboa.lib.permissions import IsSuperUser from modoboa.lib.throttle import GetThrottleViewsetMixin from . import serializers @@ -14,6 +15,7 @@ class ParametersViewSet(GetThrottleViewsetMixin, viewsets.ViewSet): """Parameter viewset.""" lookup_value_regex = r"\w+" + permission_classes = [permissions.IsAuthenticated, IsSuperUser] serializer_class = None @extend_schema(responses=serializers.ApplicationSerializer(many=True))