Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Allow accessing `_api/cluser/endpoints` as authenticated user via the `_system` database. (#7342)

This commit is contained in:
Lars Maier 2018-11-16 10:03:14 +01:00 committed by Max Neunhöffer
parent 447ab7bce5
commit a03528b7a2
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
arangod/GeneralServer/GeneralCommTask.cpp
View File

@ -135,11 +135,11 @@ bool resolveRequestContext(GeneralRequest& req) {
if (!guard) { if (!guard) {
return false; return false;
} }
// the vocbase context is now responsible for releasing the vocbase // the vocbase context is now responsible for releasing the vocbase
req.setRequestContext(guard.get(), true); req.setRequestContext(guard.get(), true);
guard.release(); guard.release();
// the "true" means the request is the owner of the context // the "true" means the request is the owner of the context
return true; return true;
} }
@ -489,11 +489,12 @@ rest::ResponseCode GeneralCommTask::canAccessPath(
// no authentication required at all // no authentication required at all
return rest::ResponseCode::OK; return rest::ResponseCode::OK;
} }
std::string const& path = request.requestPath(); std::string const& path = request.requestPath();
std::string const& username = request.user(); std::string const& username = request.user();
bool userAuthenticated = request.authenticated();
rest::ResponseCode result = request.authenticated() rest::ResponseCode result = userAuthenticated
? rest::ResponseCode::OK ? rest::ResponseCode::OK
: rest::ResponseCode::UNAUTHORIZED; : rest::ResponseCode::UNAUTHORIZED;
@ -505,7 +506,7 @@ rest::ResponseCode GeneralCommTask::canAccessPath(
result = rest::ResponseCode::UNAUTHORIZED; result = rest::ResponseCode::UNAUTHORIZED;
LOG_TOPIC(TRACE, Logger::AUTHORIZATION) << "Access forbidden to " << path; LOG_TOPIC(TRACE, Logger::AUTHORIZATION) << "Access forbidden to " << path;
if (request.authenticated()) { if (userAuthenticated) {
request.setAuthenticated(false); request.setAuthenticated(false);
} }
} }
@ -552,6 +553,10 @@ rest::ResponseCode GeneralCommTask::canAccessPath(
// req.user when it could be validated // req.user when it could be validated
result = rest::ResponseCode::OK; result = rest::ResponseCode::OK;
vc->forceSuperuser(); vc->forceSuperuser();
} else if (userAuthenticated && path == "/_api/cluster/endpoints") {
// allow authenticated users to access cluster/endpoints
result = rest::ResponseCode::OK;
//vc->forceReadOnly();
} else if (request.requestType() == RequestType::POST && } else if (request.requestType() == RequestType::POST &&
!username.empty() && !username.empty() &&
StringUtils::isPrefix(path, ApiUser + username + '/')) { StringUtils::isPrefix(path, ApiUser + username + '/')) {