Add permission check to light service (#19259)

2025-04-24 09:17:53 +00:00 · 2018-12-14 10:18:36 +01:00 · 2018-12-14 10:18:36 +01:00 · 0eb0faff03
commit 0eb0faff03
parent 4a23d4c7d3
2 changed files with 39 additions and 0 deletions
--- a/homeassistant/components/light/init.py
+++ b/homeassistant/components/light/init.py
@ -12,11 +12,13 @@ import os

 import voluptuous as vol

+from homeassistant.auth.permissions.const import POLICY_CONTROL
 from homeassistant.components.group import \
    ENTITY_ID_FORMAT as GROUP_ENTITY_ID_FORMAT
 from homeassistant.const import (
    ATTR_ENTITY_ID, SERVICE_TOGGLE, SERVICE_TURN_OFF, SERVICE_TURN_ON,
    STATE_ON)
+from homeassistant.exceptions import UnknownUser, Unauthorized
 import homeassistant.helpers.config_validation as cv
 from homeassistant.helpers.config_validation import PLATFORM_SCHEMA  # noqa
 from homeassistant.helpers.entity import ToggleEntity
@ -256,6 +258,21 @@ async def async_setup(hass, config):
        target_lights = component.async_extract_from_service(service)
        params.pop(ATTR_ENTITY_ID, None)

+        if service.context.user_id:
+            user = await hass.auth.async_get_user(service.context.user_id)
+            if user is None:
+                raise UnknownUser(context=service.context)
+
+            entity_perms = user.permissions.check_entity
+
+            for light in target_lights:
+                if not entity_perms(light, POLICY_CONTROL):
+                    raise Unauthorized(
+                        context=service.context,
+                        entity_id=light,
+                        permission=POLICY_CONTROL
+                    )
+
        preprocess_turn_on_alternatives(params)

        update_tasks = []
--- a/tests/components/light/test_init.py
+++ b/tests/components/light/test_init.py
@ -5,7 +5,10 @@ import unittest.mock as mock
 import os
 from io import StringIO

+import pytest
+
 from homeassistant import core, loader
+from homeassistant.exceptions import Unauthorized
 from homeassistant.setup import setup_component, async_setup_component
 from homeassistant.const import (
    ATTR_ENTITY_ID, STATE_ON, STATE_OFF, CONF_PLATFORM,
@ -495,3 +498,22 @@ async def test_light_context(hass, hass_admin_user):
    assert state2 is not None
    assert state.state != state2.state
    assert state2.context.user_id == hass_admin_user.id
+
+
+async def test_light_turn_on_auth(hass, hass_admin_user):
+    """Test that light context works."""
+    assert await async_setup_component(hass, 'light', {
+        'light': {
+            'platform': 'test'
+        }
+    })
+
+    state = hass.states.get('light.ceiling')
+    assert state is not None
+
+    hass_admin_user.mock_policy({})
+
+    with pytest.raises(Unauthorized):
+        await hass.services.async_call('light', 'turn_on', {
+            'entity_id': state.entity_id,
+        }, True, core.Context(user_id=hass_admin_user.id))