Merge commit from fork

lunkwill42 · web-flow · commit c2b9002e4120 · 2025-05-12T13:40:44.000+02:00
Lock down API permissions for unprivileged users
diff --git a/changelog.d/+api-access-lockdown.security.md b/changelog.d/+api-access-lockdown.security.md
@@ -0,0 +1,3 @@
+Lock down API access for unprivileged users
+
+By default, NAV granted full API access to logged-in users, regardless of their configured privilege level.  This would give unprivileged users access to manipulate NAV configuration and even elevate their own user privileges to administrator level.  [Read the full security advisory here.](https://github.com/Uninett/nav/security/advisories/GHSA-gprr-5vvf-582g)
diff --git a/python/nav/web/api/v1/auth.py b/python/nav/web/api/v1/auth.py
@@ -18,6 +18,7 @@
 import logging
 from datetime import datetime
 from urllib.parse import urlparse
+
 from rest_framework.permissions import BasePermission, SAFE_METHODS
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.authentication import TokenAuthentication, BaseAuthentication
@@ -67,6 +68,14 @@ def has_permission(self, request, _view):
         return not request.account.is_default_account()
 
 
+class AdminPermission(BasePermission):
+    """Checks if the user is a NAV administrator"""
+
+    def has_permission(self, request, _view):
+        """If user is an admin, it is authorized"""
+        return request.account.is_admin()
+
+
 class TokenPermission(BasePermission):
     """Checks if the token has correct permissions"""
 
@@ -157,14 +166,6 @@ def has_permission(self, request, _view):
         return True
 
 
-class APIPermission(BasePermission):
-    """Checks for correct permissions when accessing the API"""
-
-    def has_permission(self, request, view):
-        """Checks if request is permissable
-        :type request: rest_framework.request.Request
-        """
-        return any(
-            permission().has_permission(request, view)
-            for permission in (LoggedInPermission, TokenPermission, JWTPermission)
-        )
+APITokensPermission = TokenPermission | JWTPermission
+DefaultPermission = AdminPermission | APITokensPermission
+RelaxedPermission = LoggedInPermission | APITokensPermission
diff --git a/python/nav/web/api/v1/views.py b/python/nav/web/api/v1/views.py
@@ -54,9 +54,10 @@
 from nav.web.status2 import STATELESS_THRESHOLD
 from nav.macaddress import MacPrefix
 from .auth import (
-    APIPermission,
     APIAuthentication,
+    DefaultPermission,
     NavBaseAuthentication,
+    RelaxedPermission,
 )
 from .helpers import prefix_collector
 from .filter_backends import (
@@ -68,7 +69,6 @@
 
 EXPIRE_DELTA = timedelta(days=365)
 MINIMUMPREFIXLENGTH = 4
-
 _logger = logging.getLogger(__name__)
 
 
@@ -209,7 +209,7 @@ class NAVAPIMixin(APIView):
         APIAuthentication,
         JSONWebTokenAuthentication,
     )
-    permission_classes = (APIPermission,)
+    permission_classes = (DefaultPermission,)
     renderer_classes = (JSONRenderer, BrowsableAPIRenderer)
     filter_backends = (filters.SearchFilter, DjangoFilterBackend, RelatedOrderingFilter)
     ordering_fields = '__all__'
@@ -1028,6 +1028,8 @@ class AlertHistoryViewSet(NAVAPIMixin, viewsets.ReadOnlyModelViewSet):
     """
 
     filter_backends = (AlertHistoryFilterBackend,)
+    # Logged-in users must be able to access this API to use the status tool
+    permission_classes = (RelaxedPermission,)
     model = event.AlertHistory
     serializer_class = alert_serializers.AlertHistorySerializer
     base_queryset = base = event.AlertHistory.objects.prefetch_related(

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Lock down API access for unprivileged users`
	`2`	`+`
	`3`	`+By default, NAV granted full API access to logged-in users, regardless of their configured privilege level. This would give unprivileged users access to manipulate NAV configuration and even elevate their own user privileges to administrator level. [Read the full security advisory here.](https://github.com/Uninett/nav/security/advisories/GHSA-gprr-5vvf-582g)`