Skip to content

Commit

Permalink
returns 403 when revoking public
Browse files Browse the repository at this point in the history
  • Loading branch information
@dxenes1
dxenes1 committed Jan 19, 2023
1 parent 8d169ff commit 61b6e29
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions django/boss/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,13 +108,18 @@ def put(self, request):
# import as to deconflict with our Token class
from rest_framework.authtoken.models import Token as TokenModel

# User name used for anonymous logins.
PUBLIC_ACCESS_USERNAME = 'public-access'

class Token(LoginRequiredMixin, View):
def get(self, request):
action = request.GET.get('action', None)

try:
token = TokenModel.objects.get(user = request.user)
if action == "Revoke":
if request.user.username == PUBLIC_ACCESS_USERNAME:
return HttpResponse(status=403, reason=f"Changing {PUBLIC_ACCESS_USERNAME}'s token forbidden")
token.delete()
token = None
except:
Expand Down

0 comments on commit 61b6e29

Please sign in to comment.