Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
馃悰 Fix permissions of global API key
Closes #3365
  • Loading branch information
foosel committed Dec 3, 2019
1 parent b57b7cb commit 2200f21
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 4 deletions.
5 changes: 4 additions & 1 deletion src/octoprint/access/users.py
Expand Up @@ -55,7 +55,10 @@ def anonymous_user_factory(self):
if self.enabled:
return AnonymousUser([self._group_manager.guest_group])
else:
return AdminUser([self._group_manager.admin_group])
return AdminUser([self._group_manager.admin_group, self._group_manager.user_group])

def api_user_factory(self):
return ApiUser([self._group_manager.admin_group, self._group_manager.user_group])

@property
def enabled(self):
Expand Down
2 changes: 1 addition & 1 deletion src/octoprint/server/__init__.py
Expand Up @@ -147,7 +147,7 @@ def load_user(id):
return None

if id == "_api":
return users.ApiUser([groupManager.admin_group])
return userManager.api_user_factory()

if session and "usersession.id" in session:
sessionid = session["usersession.id"]
Expand Down
3 changes: 1 addition & 2 deletions src/octoprint/server/util/__init__.py
Expand Up @@ -12,7 +12,6 @@
from octoprint.settings import settings
import octoprint.timelapse
import octoprint.server
from octoprint.access.users import ApiUser

from octoprint.util import deprecated
from octoprint.plugin import plugin_manager
Expand Down Expand Up @@ -180,7 +179,7 @@ def get_user_for_apikey(apikey):
if apikey is not None:
if apikey == settings().get(["api", "key"]):
# master key was used
return ApiUser([octoprint.server.groupManager.admin_group])
return octoprint.server.userManager.api_user_factory()

if octoprint.server.userManager.enabled:
user = octoprint.server.userManager.find_user(apikey=apikey)
Expand Down

0 comments on commit 2200f21

Please sign in to comment.