Skip to content

Broken Function-level Access Controls#1521

Merged
petrjasek merged 2 commits into
superdesk:developfrom
marwoodandrew:SDAN-768
Jul 15, 2026
Merged

Broken Function-level Access Controls#1521
petrjasek merged 2 commits into
superdesk:developfrom
marwoodandrew:SDAN-768

Conversation

@marwoodandrew

Copy link
Copy Markdown
Contributor

Purpose

Ensures that calls to the api token management endpoints require a legitimate session belonging to an administrative user.

What has changed

Checks have been added to the token management endpoints.

Steps to test

Ensure news API access tokens can be added and removed from companies in the company management/API tab.

Checklist

  • This pull request is not adding new forms that use redux
  • This pull request is adding missing TypeScript types to modified code segments where it's easy to do so with confidence
  • This pull request is replacing lodash.get with optional chaining for modified code segments

Resolves: #SDAN-768

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens function-level access control for the News API token management endpoints so that only requests coming from a valid session belonging to an administrative user can create/update/delete/read tokens.

Changes:

  • Added an is_allowed decorator that enforces “valid session + admin user” for token management routes.
  • Applied the new access control to POST, PATCH, DELETE, and GET /news_api_tokens endpoints (including converting DELETE/GET to async handlers).
  • Added tests covering forbidden access for a public user and for requests without a session (currently for POST).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
tests/core/test_api_tokens.py Adds negative-path tests for token creation access control (public user + no session).
newsroom/news_api/api_tokens/views.py Introduces and applies an admin-session guard decorator to the token management endpoints.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread newsroom/news_api/api_tokens/views.py Outdated
Comment thread newsroom/news_api/api_tokens/views.py Outdated
Comment thread tests/core/test_api_tokens.py
Comment thread newsroom/news_api/api_tokens/views.py
Comment thread newsroom/news_api/api_tokens/views.py Outdated
@petrjasek petrjasek merged commit d7ce621 into superdesk:develop Jul 15, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants