API keys Access Fix. (#613)

* API keys should only be visible to the user who created them. * updated docstring * replaced query filter with permission --------- Co-authored-by: Hari John Kuriakose <[email protected]>
Zipstack · Aug 24, 2024 · f705bb7 · f705bb7
1 parent ccad748
commit f705bb7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/backend/api/api_key_views.py b/backend/api/api_key_views.py
@@ -5,6 +5,7 @@
 from api.key_helper import KeyHelper
 from api.models import APIKey
 from api.serializers import APIKeyListSerializer, APIKeySerializer
+from permissions.permission import IsOwner
 from pipeline.exceptions import PipelineNotFound
 from pipeline.pipeline_processor import PipelineProcessor
 from rest_framework import serializers, viewsets
@@ -15,6 +16,7 @@
 
 class APIKeyViewSet(viewsets.ModelViewSet):
     queryset = APIKey.objects.all()
+    permission_classes = [IsOwner]
 
     def get_serializer_class(self) -> serializers.Serializer:
         if self.action in ["api_keys"]:
@@ -33,11 +35,13 @@ def api_keys(
             api = DeploymentHelper.get_api_by_id(api_id=api_id)
             if not api:
                 raise APINotFound()
+            self.check_object_permissions(request, api)
             keys = KeyHelper.list_api_keys_of_api(api_instance=api)
         elif pipeline_id:
             pipeline = PipelineProcessor.get_active_pipeline(pipeline_id=pipeline_id)
             if not pipeline:
                 raise PipelineNotFound()
+            self.check_object_permissions(request, pipeline)
             keys = KeyHelper.list_api_keys_of_pipeline(pipeline_instance=pipeline)
         else:
             raise PathVariablesNotFound(

diff --git a/backend/pipeline/pipeline_processor.py b/backend/pipeline/pipeline_processor.py
@@ -28,6 +28,9 @@ def initialize_pipeline_sync(pipeline_id: str) -> Pipeline:
     @staticmethod
     def fetch_pipeline(pipeline_id: str, check_active: bool = True) -> Pipeline:
         """Retrieves and checks for an active pipeline.
+        Args:
+            pipeline_id (str): UUID of the pipeline
+            check_active (bool): Whether to check if the pipeline is active
 
         Raises:
             InactivePipelineError: If an active pipeline is not found