Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[change] Improve endpoints to download firmware images #69

Open
1 of 3 tasks
nemesifier opened this issue May 27, 2020 · 0 comments
Open
1 of 3 tasks

[change] Improve endpoints to download firmware images #69

nemesifier opened this issue May 27, 2020 · 0 comments
Labels
enhancement New feature or request Hacktoberfest Easy issues for attracting Hacktoberfest participants.

Comments

@nemesifier
Copy link
Member

nemesifier commented May 27, 2020
edited
Loading

Right now, the API endpoint which shows the image information, has a field, called "file", which links to the private-storage view.
But we also have an API endpoint to download the firmware, although it's implemented differently than the private storage view.

It also looks that the private storage view does not check if the user has "view permission" on the object. So it would be theoretically possible that a staff user without premissions to view firmware images can still download the firmware image, which is a problem.

Therefore, I think we should do the following things:

  • Find a way to call openwisp_firmware_upgrader.private_storage.views.FirmwareImageDownloadView from openwisp_firmware_upgrader.api.views.FirmwareImageDownloadView, to avoid duplicating logic
  • Change the file attribute of FirmwareImageSerializer to point to the API URL (because API supports token authentication (we need a test that ensures the new URL is not the one generated by private_storage)
  • Ensure the private storage view checks whether the user has the view permission on FirmwareImage objects (we need a test for this), once this is done, we can try to set permission_classes to an empty list on the API FirmwareImageDownloadView, to avoid checking permissions twice, in theory it should work
@nemesifier nemesifier added the enhancement New feature or request label May 27, 2020
nemesifier added a commit that referenced this issue Jul 4, 2020
@PabloCastellano @nemesifier
[helpers] Use new User.is_member() in FirmwareImageDownloadView
39278d1 
Related to openwisp/openwisp-users#107

Call private_storage.views.firmware_image_download directly
Related to #69 

Co-authored-by: Federico Capoano <[email protected]>
@nemesifier nemesifier added the Hacktoberfest Easy issues for attracting Hacktoberfest participants. label Oct 1, 2021
@nemesifier nemesifier changed the title [fw-upgrader] Improve endpoints to download firmware images [change] Improve endpoints to download firmware images Feb 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Hacktoberfest Easy issues for attracting Hacktoberfest participants.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nemesifier