Flask-AppBuilder icon indicating copy to clipboard operation
Flask-AppBuilder copied to clipboard

Published 20 hours ago verified publisher icon dpgaspar

fix: updating user using FAB security api breaking user password hash

Open Always-prog opened this issue 1 year ago • 3 comments

Description

Updating a user using the FAB security API breaks the user’s password hash. This is because in the pre_update function of the user model, the item parameter is the user model. The check at this line is always true because the user already has a password. https://github.com/dpgaspar/Flask-AppBuilder/blob/59db85df13e5484ae24a7a9365986a15a7d9eb1f/flask_appbuilder/security/sqla/apis/user/api.py#L71-L72

I fixed it by moving checking password change to put endpoint of the user model.

Testing instructions

  1. Enable FAB_ADD_SECURITY_API in the config
  2. Get API token for making requests
import requests
import json

url = "http://localhost:8088/api/v1/security/login"

payload = json.dumps({
  "password": "admin",
  "provider": "db",
  "refresh": True,
  "username": "admin"
})

response = requests.request("POST", url, headers=headers, data=payload)
  1. Change a role/first_name/last_name or any field in user model
target_user_id = 2
url = f"http://localhost:8088/api/v1/security/users/{target_user_id}"

payload = json.dumps({
  "roles": [
    3,
    4
  ]
})
headers = {
  'Authorization': 'Bearer <token>',
  'Content-Type': 'application/json'
}

response = requests.request("PUT", url, headers=headers, data=payload)

After 3 step, target user is not able to login with her old password

ADDITIONAL INFORMATION

  • [ ] Has associated issue:
  • [ ] Is CRUD MVC related.
  • [ ] Is Auth, RBAC security related.
  • [ ] Changes the security db schema.
  • [ ] Introduces new feature
  • [ ] Removes existing feature

Always-prog avatar Dec 27 '23 11:12 Always-prog

Codecov Report

Attention: Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.

Project coverage is 48.36%. Comparing base (59db85d) to head (bc6e81a). Report is 30 commits behind head on master.

Files Patch % Lines
flask_appbuilder/security/sqla/apis/user/api.py 0.00% 2 Missing :warning:

:exclamation: There is a different number of reports uploaded between BASE (59db85d) and HEAD (bc6e81a). Click for more details.

HEAD has 7 uploads less than BASE
Flag BASE (59db85d) HEAD (bc6e81a)
python 8 1
Additional details and impacted files 
@@             Coverage Diff             @@
##           master    #2179       +/-   ##
===========================================
- Coverage   79.31%   48.36%   -30.96%     
===========================================
  Files          72       72               
  Lines        8974     8699      -275     
===========================================
- Hits         7118     4207     -2911     
- Misses       1856     4492     +2636
Flag Coverage Δ
python 48.36% <0.00%> (-30.96%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Dec 27 '23 11:12 codecov[bot]

I'll look why test cases failing

Always-prog avatar Dec 27 '23 12:12 Always-prog

Is there a solution?

18191518054 avatar Jul 26 '24 03:07 18191518054