openwisp-controller icon indicating copy to clipboard operation
openwisp-controller copied to clipboard
verified publisher icon openwisp

[feature] Allow viewing shared objects by non superadministrators as view only

Open nemesifier opened this issue 8 months ago • 0 comments

Implement the solution devised in https://github.com/openwisp/openwisp-users/issues/238.

We must add tests (ideally reusable test logic to make maintainance sane) that for each model verify the following:

  • shared objects can be viewed in readonly mode also by non superusers (admin and REST API)
  • new shared object can be created only by superusers (admin and REST API)
  • existing shared objects can only be changed/deleted by superusers (admin and REST API)

I found that after upgrading DRF to 3.16 endpoints using the CaListSerializer were failing with the following error:

assert not (required and default is not empty), NOT_REQUIRED_DEFAULT
AssertionError: May not set both `required` and `default`

It happens because of this line: https://github.com/openwisp/openwisp-controller/blob/1745a0a04f43708d7b402a292d208ca20a010376/openwisp_controller/pki/api/serializers.py#L81

If I remove that line, the tests pass, but I am then able to create a shared Ca with a non superuser org admin/manager user account, which is not what we want and is worrying: we need tests to protect us from these possible security holes. I also verified that upgrading to DRF 3.16 allows to create objects by omitting the "organization" field, hence allowing non superusers to omit this field and create shared objects, opening security holes.

I think it may be necessary to work on these changes while also upgrading DRF to 3.16 and bind the version, otherwise we may have to work on this twice.

nemesifier avatar Apr 26 '25 18:04 nemesifier