allow read only pages to be requested without authorization

2025-07-15 06:55:48 +00:00 · 2021-09-05 06:09:43 +03:00
parent d7bf647493
commit 19d1e17727
7 changed files with 27 additions and 11 deletions
--- a/src/ahriman/core/auth/auth.py
+++ b/src/ahriman/core/auth/auth.py
@ -45,6 +45,7 @@ class Auth:
        :param configuration: configuration instance
        :param provider: authorization type definition
        """
+        self.allow_read_only = configuration.getboolean("auth", "allow_read_only")
        self.allowed_paths = set(configuration.getlist("auth", "allowed_paths"))
        self.allowed_paths.update(self.ALLOWED_PATHS)
        self.allowed_paths_groups = set(configuration.getlist("auth", "allowed_paths_groups"))
@ -74,14 +75,17 @@ class Auth:
        del username, password
        return True

-    def is_safe_request(self, uri: Optional[str]) -> bool:
+    def is_safe_request(self, uri: Optional[str], required: UserAccess) -> bool:
        """
        check if requested path are allowed without authorization
        :param uri: request uri
+        :param required: required access level
        :return: True in case if this URI can be requested without authorization and False otherwise
        """
        if not uri:
            return False  # request without context is not allowed
+        if required == UserAccess.Read and self.allow_read_only:
+            return True  # in case if read right requested and allowed in options
        return uri in self.allowed_paths or any(uri.startswith(path) for path in self.allowed_paths_groups)

    def known_username(self, username: str) -> bool:  # pylint: disable=no-self-use
--- a/src/ahriman/web/middlewares/auth_handler.py
+++ b/src/ahriman/web/middlewares/auth_handler.py
@ -80,7 +80,7 @@ def auth_handler(validator: Auth) -> MiddlewareType:
        else:
            permission = UserAccess.Write

-        if not validator.is_safe_request(request.path):
+        if not validator.is_safe_request(request.path, permission):
            await aiohttp_security.check_permission(request, permission, request.path)

        return await handler(request)
--- a/src/ahriman/web/views/index.py
+++ b/src/ahriman/web/views/index.py
@ -85,7 +85,7 @@ class IndexView(BaseView):

        # auth block
        auth_username = await authorized_userid(self.request)
-        authorized = not self.validator.enabled or auth_username is not None
+        authorized = not self.validator.enabled or self.validator.allow_read_only or auth_username is not None

        return {
            "architecture": self.service.architecture,