From 20ea476dc76f045b16a3edb86228fe31b49a35a5 Mon Sep 17 00:00:00 2001 From: Arpit Mohan Date: Thu, 19 Dec 2019 13:04:13 +0530 Subject: [PATCH] Correcting the HTTP methods for the public urls of forgotPassword & resetPassword --- .../server/configurations/SecurityConfig.java | 6 +++--- .../resources/public/appsmith/authz/acl.rego | 6 +++--- .../src/main/resources/public/bundle.tar.gz | Bin 1261 -> 1403 bytes 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java index fd37031e3b..28df76c58d 100644 --- a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java +++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java @@ -87,9 +87,9 @@ public class SecurityConfig { // This is because the flow enters AclFilter as well and needs to be whitelisted there .matchers(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/login"), ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL), - ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL + "/forgotPassword"), - ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL + "/verifyPasswordResetToken"), - ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL + "/resetPassword")) + ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, USER_URL + "/forgotPassword"), + ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, USER_URL + "/verifyPasswordResetToken"), + ServerWebExchangeMatchers.pathMatchers(HttpMethod.PUT, USER_URL + "/resetPassword")) .permitAll() .pathMatchers("/public/**").permitAll() .anyExchange() diff --git a/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego b/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego index e28ec299fc..8302662c78 100644 --- a/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego +++ b/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego @@ -23,10 +23,10 @@ url_allow = true { # All public URLs must go into this list. Anything not in this list requires an authenticated session to access public_operations = [ - {"method" : "POST", "url" : "/api/v1/users/forgotPassword" }, + {"method" : "GET", "url" : "/api/v1/users/forgotPassword" }, {"method" : "POST", "url" : "/api/v1/users" }, - {"method" : "POST", "url" : "/api/v1/users/verifyPasswordResetToken" }, - {"method" : "POST", "url" : "/api/v1/users/resetPassword" }, + {"method" : "GET", "url" : "/api/v1/users/verifyPasswordResetToken" }, + {"method" : "PUT", "url" : "/api/v1/users/resetPassword" }, ] # This is a global list of all the routes for all controllers. Any new controller that is written must diff --git a/app/server/appsmith-server/src/main/resources/public/bundle.tar.gz b/app/server/appsmith-server/src/main/resources/public/bundle.tar.gz index 68b8ba98b98bff48c507ae80df9e1a17c46d6772..58618889e96fbd56e106790478a731c816663029 100644 GIT binary patch literal 1403 zcmV->1%&z^iwFQPBl}$d1MQeiZ`(E)$9s)F1(6+gSfJR6?EnRO$kuEakTqGFB8MOd zXo%`zDRYc^~PFSbbP_q_c1&?a%7%QaQ2!#6M2Mx)Wmbc)R9 ztoj@sO{!1Z(D-;d9gmJiv&jsN#>eB?$s06%L7$pdNQDKsf<;c1XC6#jEIi{jj^^`U z(r~RmF4XGF%dCPx{ZD4Iqw(bE1oWRAA5UNP|2x{2{y1T=AWQyDZ9qO|lZi|J@zK$A zyruv2WP1DtjlQWDj`ly-KgY=fUJ_KVgV?NtC`!o!7fhi-uzSoH-=KGBfte)Dh#-;| zA|YGD(Rb*2MI{mi1F9a9NUaDeBoRn)gp-6wiAa{_oMuX*IhG_vJTtR$BGyz&$}{~I zR=Tr9SO5xoml;W8V}PKQQu%L0t$2!XmNwp0bD0D~83I083d~TBg+hE`jnixiT=4Pq zr*oj)5X2veU>v8$2jh7gH*^UyFVPx5=ohKdmrzZq*!-Rfpoe_rf7l{WI+-W`vKwrQQrdw<;9%QMEg@EM6;_XtOWwTmvf$$anuz{ ziGrZ75rW2Zce<9s9jA*yPv@H{s|B+Cnu+Cm`;~ zSo8Dht#%}Oio6b2fjd3b2{AQsKZI+th-b&r-@FA-iX21ccd(P>t~ z6X=|A$aU5Zfqb6}3PEf6cdFLP9SwX3hi;9RU-v7o_R(9k|I69+{sG#D2+ZRl>Rf z_)w=%9xk|8a&-yoe!~UKe>xZfE-ya13A#^+F)CbzmY8LO&<7YdRL(VH%)G9@@;fHdNujBGlcO-*bBRf=RrS1^-c zAxf z^!6{B!KOg<0rn~=(d>c zvIrmnD0Oq}nh4+&dD`bPSiU3Ao~`M*|~t!fcE_+%QTf&BocG1?ebsg)8b7 zvz-vCs0Ufg>WA*o*2Am??lD7R$BD1h>e0ZcoiH1+4>ye0NwdLvXz$O?&#upcfhl36 z4-83N{oR$kc04eB9-vL2A302+hiH@7BL)=zdi(hUB68zvRe(9Sn@!g|bn5V8eJ_EE{Rd z3W+h%|6{#dVRuGgv|gwU`8n(`ZZFjazeNqn0KA9&`&oBJUy7#_iJFL2LB3v`C-tdY3=uU~}{9r9Kx|w$aDm&(Y_Cn3Gih z-iO2H04KAb;V?!1!0VimgZ7BD#wD8D+a!1gc#^=QIXi+$IHU=Zz%kPvt$4=te8%-X zk3QX#wK=zaxVUbQnbiw1x>?cQb&qjdCL3N`rX+V;l{x*6iKL-qsz5Sxa?q=XS;(xuQLrvD-r4>1&YA zqox)5RH>J%xwMJ){FgXp*sMsv*kjvYhZZuXX@3e$JGL4_|MW%aYkO_4?X~^K+MkP^ Jy^#PQ008G6z|{Z% literal 1261 zcmV-iIY#0_IfGzUyFR^EtDh z+401Fx`D3eL|gfqm~K_Pz8&Ms(>7bEf#@wXUFdIKQeF= ze_X58ho{Mc$oQYmvS~J+Wf1?#$??f^{Qrru7k`|yRFEbAre}aZW|N68{^Rj+1ReN!zw<9{Ci3g_?elAtCJQj-TsQji6%nL@Q-x0o@$L9fsPGf8$Uf=FJAoa`+p z-=V7&l}OYKsCr2vwIZmNL?Fcx&T}FqB4tr=S}KX|up|ZIrID(LSW_t}FZC|0^yC&{ z0VtSVmZV6{0R*j-s(vME#S4VXVyBIjWfBf55%9@UV1_Cz6yghaI4zgJ1s%_RyhyqR zDp3>kF+nhR1<%?Sq*OG=iWIjTl*3A^c71zeglJjSDqUMGUcnysy|cK}%PcofMnIon zg|u(dj_D1*vb)-q(s0V#(DUg16xUHhenzOu`pz8Ql{>7u)90KZqpiioYY}m#~E1 z-P8YOm*Vh;(US2y$S_8w%`nDHA`4zCA`#ecrgB~?!5IT&iq6U{D#@lZX>%QT8$p#K zC0fI4369CJ5L=zekcIGtmNsu;7H?B@IX}|{181yFF1MxRa$iW2>(FV%Kq*NKhk{I$5{#?b`m~#jGhCgeiLY{oIn;?jQyqHF1|KF{ zRrGW&2oPV|)%|F~`p@UFBmfnD&iv0JMfs5F60|vI%P#`ao<0%qGA+W{mAP50zT88fmo`=1dOZhW2`C z&e#C$_4&p5)p<0qAdK{ZF|KRA`<&OVN4hTnbPfz7hb{~dofCV+sA6IDl6n)SS&c0d zAFQd70PcYT@zI*;4ggTQS!w&5ZQl0U8)EE!IJ{*3ZbtNJ_ z5QI7pJcb>5AV_r{*rUefK)IkxfBfxgbnHE_UEKY+hhpxb?c(idiSF-ucNnIzdHc&; zUtZX=(VO2d&|ft%omBt&g2T%JIrCi zG(mD`GhJ)NOQz)+*Vh$XW7ei``|a|oZ8PnL6un(h(6zlAFsg4Th}q}i6%3qcn#o07 znncHps_l`Z_O5nX){3wSFpVEJ&>0exGYn*@$=WGfgLwTznhb7;+;zpl-nE0trDnEs zVd7e@MgqpQZC?+qWlD>_2rW8i?GF04 X@B5y|^LQT5qZxk#C~5^n03HAUrh8