You can POST to https://quarry.wmflabs.org/api/query/run giving any value for query_id - it doesn't have to be one of your query IDs.
Description
Description
Details
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Slightly stronger user authentication check | analytics/quarry/web | master | +3 -0 |
Event Timeline
Comment Actions
This allows you to overwrite other users' SQL queries, and the only way I know of getting them back is going through the database manually.
Comment Actions
Oops.
diff --git a/quarry/web/app.py b/quarry/web/app.py index 9a3d85a..d6cc96a 100644 --- a/quarry/web/app.py +++ b/quarry/web/app.py @@ -209,6 +209,9 @@ def api_run_query(): text = request.form['text'] query = g.conn.session.query(Query).filter(Query.id == request.form['query_id']).one() + if query.user_id != get_user().id: + return "Authorization denied", 401 + if query.latest_rev and query.latest_rev.latest_run: result = worker.run_query.AsyncResult(query.latest_rev.latest_run.task_id) if not result.ready():
How does that look?
Comment Actions
Presumably should be 403 since its not so much the user needs to log in as that they do not have permission