Restrict modifications to staff users authed via session

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/api_v2.py

@@ -18,8 +18,9 @@
 from rest_framework import serializers
 from rest_framework import status
 from rest_framework import viewsets
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import BasePermission
 from rest_framework.response import Response
 from rest_framework.reverse import reverse
 
@@ -628,6 +629,17 @@ class CreateListRetrieveUpdateViewSet(
     pass
 
 
+class IsAdminWithSessionAuth(BasePermission):
+    """Permit only staff users authenticated via session (not token)."""
+
+    def has_permission(self, request, view):
+        is_authenticated = request.user and request.user.is_authenticated
+        is_staff = request.user and request.user.is_staff
+        is_session_auth = isinstance(request.successful_authenticator, SessionAuthentication)
+
+        return is_authenticated and is_staff and is_session_auth
+
+
 class PipelineRunAPISerializer(serializers.HyperlinkedModelSerializer):
     status = serializers.SerializerMethodField()
     execution_time = serializers.SerializerMethodField()
@@ -653,7 +665,8 @@ def get_status(self, run):
         return run.status
 
     def get_execution_time(self, run):
-        return round(run.execution_time, 2)
+        if run.execution_time:
+            return round(run.execution_time, 2)
 
     def get_log(self, run):
         """Return only last 5000 character of log."""
@@ -719,7 +732,7 @@ def get_serializer_class(self):
         return super().get_serializer_class()
 
     def get_permissions(self):
-        """Restrict modifications to admin users."""
+        """Restrict addition and modifications to staff users authenticated via session."""
         if self.action not in ["list", "retrieve"]:
-            return [IsAdminUser()]
+            return [IsAdminWithSessionAuth()]
         return super().get_permissions()

vulnerabilities/models.py

@@ -2197,6 +2197,12 @@ def pipeline_class(self):
         if self.pipeline_id in IMPORTERS_REGISTRY:
             return IMPORTERS_REGISTRY.get(self.pipeline_id)
 
+    @property
+    def description(self):
+        """Return the pipeline class."""
+        if self.pipeline_class:
+            return self.pipeline_class.__doc__
+
     @property
     def all_runs(self):
         """Return all the previous run instances for this pipeline."""
@@ -2208,14 +2214,14 @@ def latest_run(self):
 
     @property
     def earliest_run(self):
-        return self.pipelineruns.earliest("created_date") if self.pipelineruns.exists() else None
+        return self.pipelineruns.earliest("run_start_date") if self.pipelineruns.exists() else None
 
     @property
     def latest_run_date(self):
         if not self.pipelineruns.exists():
             return
-        latest_run = self.pipelineruns.values("created_date").first()
-        return latest_run["created_date"]
+        latest_run = self.pipelineruns.values("run_start_date").first()
+        return latest_run["run_start_date"]
 
     @property
     def next_run_date(self):

vulnerablecode/settings.py

@@ -215,7 +215,10 @@
 # Django restframework
 
 REST_FRAMEWORK = {
-    "DEFAULT_AUTHENTICATION_CLASSES": ("rest_framework.authentication.TokenAuthentication",),
+    "DEFAULT_AUTHENTICATION_CLASSES": (
+        "rest_framework.authentication.SessionAuthentication",
+        "rest_framework.authentication.TokenAuthentication",
+    ),
     "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
     "DEFAULT_RENDERER_CLASSES": (
         "rest_framework.renderers.JSONRenderer",