Add is_admin check to check configuration API (home-assistant#97788)

jkager · Aug 4, 2023 · b286da2 · b286da2
1 parent 66cb407
commit b286da2
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/homeassistant/components/config/core.py b/homeassistant/components/config/core.py
@@ -9,6 +9,7 @@
 from homeassistant.components.sensor import async_update_suggested_units
 from homeassistant.config import async_check_ha_config_file
 from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import Unauthorized
 from homeassistant.helpers import config_validation as cv
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
 from homeassistant.util import location, unit_system
@@ -30,6 +31,9 @@ class CheckConfigView(HomeAssistantView):
 
     async def post(self, request):
         """Validate configuration and return results."""
+        if not request["hass_user"].is_admin:
+            raise Unauthorized()
+
         errors = await async_check_ha_config_file(request.app["hass"])
 
         state = "invalid" if errors else "valid"

diff --git a/tests/components/config/test_core.py b/tests/components/config/test_core.py
@@ -60,6 +60,21 @@ async def test_validate_config_ok(
     assert result["errors"] == "beer"
 
 
+async def test_validate_config_requires_admin(
+    hass: HomeAssistant,
+    hass_client: ClientSessionGenerator,
+    hass_read_only_access_token: str,
+) -> None:
+    """Test checking configuration does not work as a normal user."""
+    with patch.object(config, "SECTIONS", ["core"]):
+        await async_setup_component(hass, "config", {})
+
+    client = await hass_client(hass_read_only_access_token)
+    resp = await client.post("/api/config/core/check_config")
+
+    assert resp.status == HTTPStatus.UNAUTHORIZED
+
+
 async def test_websocket_core_update(hass: HomeAssistant, client) -> None:
     """Test core config update websocket command."""
     assert hass.config.latitude != 60

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -744,10 +744,10 @@ def hass_client(
 ) -> ClientSessionGenerator:
     """Return an authenticated HTTP client."""
 
-    async def auth_client() -> TestClient:
+    async def auth_client(access_token: str | None = hass_access_token) -> TestClient:
         """Return an authenticated client."""
         return await aiohttp_client(
-            hass.http.app, headers={"Authorization": f"Bearer {hass_access_token}"}
+            hass.http.app, headers={"Authorization": f"Bearer {access_token}"}
         )
 
     return auth_client