fix(edge-identities): prevent unauthorised identity access #5135

matthewelwell · 2025-02-19T14:24:43Z

Changes

Fixes permissions on EdgeIdentityViewSet

How did you test this code?

Added / updated tests

vercel · 2025-02-19T14:24:48Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

3 Skipped Deployments

Name	Status	Preview	Updated (UTC)
docs	⬜️ Ignored (Inspect)	Visit Preview	Feb 19, 2025 9:12pm
flagsmith-frontend-preview	⬜️ Ignored (Inspect)	Visit Preview	Feb 19, 2025 9:12pm
flagsmith-frontend-staging	⬜️ Ignored (Inspect)	Visit Preview	Feb 19, 2025 9:12pm

github-actions · 2025-02-19T14:25:14Z

Docker builds report

Image	Build Status	Security report
`ghcr.io/flagsmith/flagsmith-api-test:pr-5135`	Finished ✅	Skipped
`ghcr.io/flagsmith/flagsmith-e2e:pr-5135`	Finished ✅	Skipped
`ghcr.io/flagsmith/flagsmith-api-test:pr-5135`	Finished ✅	Skipped
`ghcr.io/flagsmith/flagsmith-frontend:pr-5135`	Finished ✅	Results ✅
`ghcr.io/flagsmith/flagsmith-api:pr-5135`	Finished ✅	Results ✅
`ghcr.io/flagsmith/flagsmith-api:pr-5135`	Finished ✅	Results ✅
`ghcr.io/flagsmith/flagsmith-frontend:pr-5135`	Finished ✅	Results ✅
`ghcr.io/flagsmith/flagsmith:pr-5135`	Finished ✅	Results ✅
`ghcr.io/flagsmith/flagsmith-private-cloud:pr-5135`	Finished ✅	Results ✅
`ghcr.io/flagsmith/flagsmith:pr-5135`	Finished ✅	Results ✅
`ghcr.io/flagsmith/flagsmith-private-cloud:pr-5135`	Finished ✅	Results ✅

github-actions · 2025-02-19T14:27:13Z

Uffizzi Preview deployment-61098 was deleted.

matthewelwell · 2025-02-19T15:56:36Z

api/edge_api/identities/views.py

            self.kwargs["identity_uuid"]
        )
+        edge_identity = EdgeIdentity.from_identity_document(identity_document)
+        self.check_object_permissions(self.request, edge_identity)


This line is the main fix in this PR. There's a lot of other changes here too, mostly related to the refactor implemented to remove this TODO, but I wanted to highlight the actual fix.

codecov · 2025-02-19T16:28:43Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.46%. Comparing base (5de0b42) to head (ef10cb0).
Report is 15 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5135      +/-   ##
==========================================
+ Coverage   97.45%   97.46%   +0.01%     
==========================================
  Files        1216     1224       +8     
  Lines       42368    42573     +205     
==========================================
+ Hits        41289    41495     +206     
+ Misses       1079     1078       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

khvn26 · 2025-02-19T16:47:23Z

api/edge_api/identities/models.py

        self._reset_initial_state()  # type: ignore[no-untyped-call]

    @classmethod
    def from_identity_document(cls, identity_document: dict) -> "EdgeIdentity":  # type: ignore[type-arg]
        return EdgeIdentity(IdentityModel.model_validate(identity_document))

    @property
-    def django_id(self) -> int:
-        return self._engine_identity_model.django_id  # type: ignore[return-value]
+    def django_id(self) -> int:  # pragma: no cover


Is this dead code? 🤔

Yes, I think so. I removed it.

api/edge_api/identities/models.py

api/conftest.py

matthewelwell added 3 commits February 18, 2025 13:59

Typing fixes

46c3d70

Add failing test

6e95ef1

Fix issue and update other tests

b41322b

matthewelwell requested a review from a team as a code owner February 19, 2025 14:24

matthewelwell requested review from khvn26 and removed request for a team February 19, 2025 14:24

github-actions bot added the api Issue related to the REST API label Feb 19, 2025

github-actions bot added the fix label Feb 19, 2025

Fix integration tests

7cccf47