From c3838022c5b8ec68a6a0fa57d7e98c8b6b05c990 Mon Sep 17 00:00:00 2001 From: AddisonDunn Date: Fri, 14 Jun 2024 15:13:07 -0400 Subject: [PATCH 1/4] check login-as cookie when doing get_restore_as_user --- corehq/apps/cloudcare/views.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/corehq/apps/cloudcare/views.py b/corehq/apps/cloudcare/views.py index d60ec2051ac7..6aaafb378151 100644 --- a/corehq/apps/cloudcare/views.py +++ b/corehq/apps/cloudcare/views.py @@ -126,7 +126,7 @@ def get_restore_as_user(request, domain): if not hasattr(request, 'couch_user'): raise Http404() - def set_cookie(response): # set_coookie is a noop by default + def set_cookie(response): # set_cookie is a noop by default return response cookie_name = urllib.parse.quote( @@ -136,8 +136,18 @@ def set_cookie(response): # set_coookie is a noop by default username = urllib.parse.unquote(username) username = get_complete_username(username, domain) user = CouchUser.get_by_username(username) - if user: + if user and request.couch_user.has_permission(domain, "login_as_all_users"): return user, set_cookie + elif user and request.couch_user.has_permission(domain, "limited_login_as"): + allowed_login_as_users = login_as_user_query( + domain, + request.couch_user, + search_string='', + limit=50, + offset=0 + ).run().hits + if user._id in [user['_id'] for user in allowed_login_as_users]: + return user, set_cookie else: def set_cookie(response): # overwrite the default noop set_cookie response.delete_cookie(cookie_name) From 19b30b5c0af81e5cd8d3ccd6f98096cd43c96965 Mon Sep 17 00:00:00 2001 From: AddisonDunn Date: Mon, 17 Jun 2024 15:34:47 -0400 Subject: [PATCH 2/4] increase login as user limit to 500 --- corehq/apps/cloudcare/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/corehq/apps/cloudcare/views.py b/corehq/apps/cloudcare/views.py index 6aaafb378151..cadbe80cb60b 100644 --- a/corehq/apps/cloudcare/views.py +++ b/corehq/apps/cloudcare/views.py @@ -143,7 +143,7 @@ def set_cookie(response): # set_cookie is a noop by default domain, request.couch_user, search_string='', - limit=50, + limit=500, offset=0 ).run().hits if user._id in [user['_id'] for user in allowed_login_as_users]: From 25544565b8db047b33a2fe3c30c6cdf8518f614f Mon Sep 17 00:00:00 2001 From: AddisonDunn Date: Tue, 18 Jun 2024 09:34:33 -0400 Subject: [PATCH 3/4] only allow logging in as the one user because that's all that's allowed for the cookie right now anyways --- corehq/apps/cloudcare/views.py | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/corehq/apps/cloudcare/views.py b/corehq/apps/cloudcare/views.py index cadbe80cb60b..e9b3746d7ac0 100644 --- a/corehq/apps/cloudcare/views.py +++ b/corehq/apps/cloudcare/views.py @@ -129,6 +129,15 @@ def get_restore_as_user(request, domain): def set_cookie(response): # set_cookie is a noop by default return response + def _get_login_as_user_query(): + return login_as_user_query( + domain, + request.couch_user, + search_string='', + limit=500, + offset=0 + ).run() + cookie_name = urllib.parse.quote( 'restoreAs:{}:{}'.format(domain, request.couch_user.username)) username = request.COOKIES.get(cookie_name) @@ -139,14 +148,8 @@ def set_cookie(response): # set_cookie is a noop by default if user and request.couch_user.has_permission(domain, "login_as_all_users"): return user, set_cookie elif user and request.couch_user.has_permission(domain, "limited_login_as"): - allowed_login_as_users = login_as_user_query( - domain, - request.couch_user, - search_string='', - limit=500, - offset=0 - ).run().hits - if user._id in [user['_id'] for user in allowed_login_as_users]: + login_as_users = _get_login_as_user_query() + if user._id == login_as_users.hits[0]['_id']: return user, set_cookie else: def set_cookie(response): # overwrite the default noop set_cookie @@ -154,13 +157,7 @@ def set_cookie(response): # overwrite the default noop set_cookie return response elif request.couch_user.has_permission(domain, 'limited_login_as'): - login_as_users = login_as_user_query( - domain, - request.couch_user, - search_string='', - limit=1, - offset=0 - ).run() + login_as_users = _get_login_as_user_query() if login_as_users.total == 1: def set_cookie(response): response.set_cookie(cookie_name, urllib.parse.quote(user.raw_username)) From fd26f90b53e8d0f405cf218f3ac8fd1f4c1c3d4d Mon Sep 17 00:00:00 2001 From: Addison Date: Wed, 26 Jun 2024 12:48:22 -0400 Subject: [PATCH 4/4] Set login_as_user_query limit to 1 Co-authored-by: Ethan Soergel --- corehq/apps/cloudcare/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/corehq/apps/cloudcare/views.py b/corehq/apps/cloudcare/views.py index e9b3746d7ac0..c29d0e95d625 100644 --- a/corehq/apps/cloudcare/views.py +++ b/corehq/apps/cloudcare/views.py @@ -134,7 +134,7 @@ def _get_login_as_user_query(): domain, request.couch_user, search_string='', - limit=500, + limit=1, offset=0 ).run()