Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API V3: Don't allow leaking teams through expandable fields #11471

Merged
merged 5 commits into from
Aug 5, 2024
Merged

API V3: Don't allow leaking teams through expandable fields #11471

merged 5 commits into from
Aug 5, 2024

Conversation

stsewd
Copy link
Member

@stsewd stsewd commented Jul 15, 2024
edited
Loading

  • teams is removed from organizations and projects
  • A new endpoint was added to list teams from an organization
  • I didn't implement something like that for projects, do we have the need for something like that?
  • We used to have two serializes for the organizations, one without expandable fields, and the other with expandable fields (only teams). There is no need for this anymore, so they were merged.
  • Tests are on .com

Ref https://github.com/readthedocs/readthedocs-corporate/issues/1736

📚 Documentation previews 📚

@stsewd stsewd marked this pull request as ready for review July 16, 2024 00:03
@stsewd stsewd requested review from a team as code owners July 16, 2024 00:03
@stsewd stsewd requested review from agjohnson and humitos July 16, 2024 00:03
stsewd
stsewd commented Jul 16, 2024
View reviewed changes
readthedocs/api/v3/views.py Outdated
Comment on lines 684 to 685
ListModelMixin,
GenericViewSet,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was allowing /organizations/projects/{project} which we don't want, since all project endpoints are under /projects/{project}.

stsewd
stsewd commented Jul 16, 2024
View reviewed changes
readthedocs/api/v3/mixins.py
Comment on lines +216 to +217
if self.has_admin_permission(user, organization):
return True
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the owner didn't belong to any admin teams, we were not granting permissions :_

agjohnson
agjohnson reviewed Jul 26, 2024
View reviewed changes
Copy link
Contributor

@agjohnson agjohnson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just chiming in here on the frontend/docs pieces, these look good. I'm leaving review on the API changes for @humitos, he has most context on the API.

ericholscher
ericholscher approved these changes Aug 1, 2024
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems reasonable to me 👍

Does it need any updates from the permissions changes (#11485)

docs/user/api/v3.rst Outdated Show resolved Hide resolved
docs/user/api/v3.rst Outdated Show resolved Hide resolved
docs/user/api/v3.rst Outdated Show resolved Hide resolved
@stsewd stsewd merged commit cb843e4 into main Aug 5, 2024
8 checks passed
@stsewd stsewd deleted the dont-expand-teams branch August 5, 2024 19:59
@humitos humitos mentioned this pull request Aug 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agjohnson agjohnson agjohnson left review comments

@ericholscher ericholscher ericholscher approved these changes

@humitos humitos Awaiting requested review from humitos humitos is a code owner automatically assigned from readthedocs/backend

Assignees

@stsewd stsewd

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stsewd @ericholscher @agjohnson