Skip to content

Validate permission input consistently #964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Dreamsorcerer merged 4 commits into from
Mar 4, 2026
Merged

Validate permission input consistently #964

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
be205ad
Validate permissions before checks
shuofengzhang Mar 3, 2026
3ade6b2
Apply suggestion from @Dreamsorcerer
Dreamsorcerer Mar 4, 2026
a657990
Apply suggestions from code review
Dreamsorcerer Mar 4, 2026
76a0b23
Apply suggestion from @Dreamsorcerer
Dreamsorcerer Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions aiohttp_security/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,15 @@ async def authorized_userid(request: web.Request) -> Optional[str]:
return user_id


async def permits(request: web.Request, permission: Union[str, enum.Enum],
context: Any = None) -> bool:

Comment thread
Dreamsorcerer marked this conversation as resolved.
Outdated
def _validate_permission(permission: Union[str, enum.Enum]) -> None:
if not permission or not isinstance(permission, (str, enum.Enum)):
raise ValueError("Permission should be a str or enum value.")


async def permits(request: web.Request, permission: Union[str, enum.Enum],
context: Any = None) -> bool:
_validate_permission(permission)
identity_policy: _AIP = request.config_dict.get(IDENTITY_KEY)
autz_policy: _AAP = request.config_dict.get(AUTZ_KEY)
if identity_policy is None or autz_policy is None:
Expand Down Expand Up @@ -104,13 +109,14 @@ async def check_authorized(request: web.Request) -> str:

async def check_permission(request: web.Request, permission: Union[str, enum.Enum],
context: Any = None) -> None:
"""Checker that passes only to authoraised users with given permission.
"""Checker that passes only to authorized users with given permission.

If user is not authorized - raises HTTPUnauthorized,
if user is authorized and does not have permission -
raises HTTPForbidden.
"""

_validate_permission(permission)
await check_authorized(request)
allowed = await permits(request, permission, context)
if not allowed:
Expand Down
17 changes: 16 additions & 1 deletion tests/test_no_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
from aiohttp import web
import pytest
Comment thread
Dreamsorcerer marked this conversation as resolved.
Outdated

from aiohttp_security import authorized_userid, permits
from aiohttp_security import authorized_userid, check_permission, permits


async def test_authorized_userid(aiohttp_client):
Expand Down Expand Up @@ -33,3 +34,17 @@ async def check(request):
client = await aiohttp_client(app)
resp = await client.get('/')
assert 200 == resp.status


async def test_check_permission_rejects_invalid_value(aiohttp_client):

async def check(request):
with pytest.raises(ValueError):
await check_permission(request, None)
Comment thread
Dreamsorcerer marked this conversation as resolved.
Outdated
return web.Response()

app = web.Application()
app.router.add_route('GET', '/', check)
client = await aiohttp_client(app)
resp = await client.get('/')
assert 200 == resp.status
Loading