Process review comments (PR2464)

2025-11-25 22:12:28 +02:00 · 2022-11-25 11:21:33 +00:00
parent afb224e796
commit 61d092922c
10 changed files with 60 additions and 66 deletions
--- a/core/admin/mailu/api/common.py
+++ b/core/admin/mailu/api/common.py
@@ -5,13 +5,15 @@ import flask
 import hmac
 from functools import wraps
 from flask_restx import abort
+from sqlalchemy.sql.expression import label

-def fqdn_in_use(*names):
-    for name in names:
-        for model in models.Domain, models.Alternative, models.Relay:
-            if model.query.get(name):
-                return model
-    return None
+def fqdn_in_use(name):
+    d = models.db.session.query(label('name', models.Domain.name))
+    a = models.db.session.query(label('name', models.Alternative.name))
+    r = models.db.session.query(label('name', models.Relay.name))
+    if d.union_all(a).union_all(r).filter_by(name=name).count() > 0:
+        return True
+    return False

 """ Decorator for validating api token for authentication """
 def api_token_authorization(func):
@@ -20,14 +22,12 @@ def api_token_authorization(func):
        client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
        if utils.limiter.should_rate_limit_ip(client_ip):
            abort(429, 'Too many attempts from your IP (rate-limit)' )
-        if (request.args.get('api_token') == '' or
-            request.args.get('api_token') == None):
-            abort(401, 'A valid API token is expected as query string parameter')
-        if not hmac.compare_digest(request.args.get('api_token'), v1.api_token):
+        if not request.headers.get('Authorization'):
+            abort(401, 'A valid API token is expected which is provided as request header')
+        if not hmac.compare_digest(request.headers.get('Authorization'), v1.api_token):
            utils.limiter.rate_limit_ip(client_ip)
            flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.')
-            abort(403, 'A valid API token is expected as query string parameter')
-        else:
-            flask.current_app.logger.info(f'Valid API token provided by {client_ip}.')
+            abort(403, 'A valid API token is expected which is provided as request header')
+        flask.current_app.logger.info(f'Valid API token provided by {client_ip}.')
        return func(*args, **kwds)
    return decorated_function