From b286da211a376696d8dc2ab1dcec6e81d00d9bdf Mon Sep 17 00:00:00 2001 From: Franck Nijhof Date: Fri, 4 Aug 2023 19:25:01 +0200 Subject: [PATCH] Add is_admin check to check configuration API (#97788) --- homeassistant/components/config/core.py | 4 ++++ tests/components/config/test_core.py | 15 +++++++++++++++ tests/conftest.py | 4 ++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/homeassistant/components/config/core.py b/homeassistant/components/config/core.py index 999e9433cbb..5a825e5676a 100644 --- a/homeassistant/components/config/core.py +++ b/homeassistant/components/config/core.py @@ -9,6 +9,7 @@ from homeassistant.components.http import HomeAssistantView from homeassistant.components.sensor import async_update_suggested_units from homeassistant.config import async_check_ha_config_file from homeassistant.core import HomeAssistant +from homeassistant.exceptions import Unauthorized from homeassistant.helpers import config_validation as cv from homeassistant.helpers.aiohttp_client import async_get_clientsession from homeassistant.util import location, unit_system @@ -30,6 +31,9 @@ class CheckConfigView(HomeAssistantView): async def post(self, request): """Validate configuration and return results.""" + if not request["hass_user"].is_admin: + raise Unauthorized() + errors = await async_check_ha_config_file(request.app["hass"]) state = "invalid" if errors else "valid" diff --git a/tests/components/config/test_core.py b/tests/components/config/test_core.py index 9612609c1c5..fa7f33858a6 100644 --- a/tests/components/config/test_core.py +++ b/tests/components/config/test_core.py @@ -60,6 +60,21 @@ async def test_validate_config_ok( assert result["errors"] == "beer" +async def test_validate_config_requires_admin( + hass: HomeAssistant, + hass_client: ClientSessionGenerator, + hass_read_only_access_token: str, +) -> None: + """Test checking configuration does not work as a normal user.""" + with patch.object(config, "SECTIONS", ["core"]): + await async_setup_component(hass, "config", {}) + + client = await hass_client(hass_read_only_access_token) + resp = await client.post("/api/config/core/check_config") + + assert resp.status == HTTPStatus.UNAUTHORIZED + + async def test_websocket_core_update(hass: HomeAssistant, client) -> None: """Test core config update websocket command.""" assert hass.config.latitude != 60 diff --git a/tests/conftest.py b/tests/conftest.py index 40fd1c2eef0..0b63ddec6af 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -744,10 +744,10 @@ def hass_client( ) -> ClientSessionGenerator: """Return an authenticated HTTP client.""" - async def auth_client() -> TestClient: + async def auth_client(access_token: str | None = hass_access_token) -> TestClient: """Return an authenticated client.""" return await aiohttp_client( - hass.http.app, headers={"Authorization": f"Bearer {hass_access_token}"} + hass.http.app, headers={"Authorization": f"Bearer {access_token}"} ) return auth_client