Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Providing an API-key from user prevents access to public scenarios on /api/v3/scenarios when copying a scenario #1460

Open
thesethtruth opened this issue Sep 12, 2024 · 2 comments
Open

Providing an API-key from user prevents access to public scenarios on /api/v3/scenarios when copying a scenario #1460

thesethtruth opened this issue Sep 12, 2024 · 2 comments
Assignees
@noracato @louispt1
Labels
Pinned Will never be marked as stale or auto-closed.

Comments

@thesethtruth
Copy link

Current behavior

  1. No token or invalid token is accepted to copy a public scenario ✅
  2. Personal token/API-key that is not the same as the public scenario's 'creator/owner' does not work ❌

Exp. 1 - using example YOUR_TOKEN as auth (so not a valid key) ✅

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
    "Authorization": "Bearer YOUR_TOKEN"
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
>> 200
>> 'OK'

Exp. 2 - without auth ✅

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
>> 200
>> 'OK'

Exp. 3 - with actually existing API key (but not of scenario owner) ❌

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
    "Authorization": "Bearer <VALID_KEY>"
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
print(response.json()['errors'])
>> 403
>> 'Forbidden' 
>> ['Scenario does not belong to you']

Expected behaviour

Regardless of the Auth bearer I want to be able to copy public scenarios.
@noracato
Copy link
Member

Thanks @thesethtruth for your issue! I'll put it on our dev backlog

@github-actions GitHub Actions
Copy link

This issue has had no activity for 60 days and will be closed in 7 days. Removing the "Stale" label or posting a comment will prevent it from being closed automatically. You can also add the "Pinned" label to ensure it isn't marked as stale in the future.

@github-actions github-actions bot added the Stale Issue had no activity for 60 days and will be, or has been, closed. label Nov 16, 2024
@louispt1 louispt1 removed the Stale Issue had no activity for 60 days and will be, or has been, closed. label Nov 18, 2024
@mabijkerk mabijkerk added the Pinned Will never be marked as stale or auto-closed. label Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noracato noracato

@louispt1 louispt1

Labels
Pinned Will never be marked as stale or auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@noracato @mabijkerk @thesethtruth @louispt1