cannot invalidate application tokens
disconn3ct opened this issue · 6 comments
The problem
Users cannot invalidate application tokens
Did the issue persist even in safe mode?
Yes, it did persist
If you could not test in safe mode, please state why ("currently printing" is NOT an excuse!)
No response
Version of OctoPrint
1.10.0
Operating system running OctoPrint
dietpi
Printer model & used firmware incl. version
No response
Browser and version of browser, operating system running browser
No response
Checklist of files to include below
- Systeminfo Bundle (always include!)
- Contents of the JavaScript browser console (always include in cases of issues with the user interface)
- Screenshots and/or videos showing the problem (always include in case of issues with the user interface)
- GCODE file with which to reproduce (always include in case of issues with GCODE analysis or printing behaviour)
Additional information & file uploads
2024-04-28 11:02:45,911 - octoprint.server.api - ERROR - Error while executing SimpleApiPlugin appkeys
Traceback (most recent call last):
File "/mnt/dietpi_userdata/octoprint/.local/lib/python3.11/site-packages/octoprint/server/api/init.py", line 162, in pluginCommand
response = api_plugin.on_api_command(command, data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/mnt/dietpi_userdata/octoprint/.local/lib/python3.11/site-packages/octoprint/util/init.py", line 1686, in wrapper
return f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/mnt/dietpi_userdata/octoprint/.local/lib/python3.11/site-packages/octoprint/plugins/appkeys/init.py", line 381, in on_api_command
if user_for_key is None or user_for_key.user_id != user_id:
^^^^^^^^^^^^^^^^^^^^
AttributeError: 'User' object has no attribute 'user_id'
This is probably a security issue in truth, but the barrier to entry is pretty high.
I am unable to reproduce this issue, where in the system are you pressing the delete key on the application key?
Username to User Settings to Application Keys. Click the trash icon and it pops up with the confirmation. Clicking 'proceed' results in a 500
The user is not an administrator (operator only). It looks like the administrator/initial user can delete tokens successfully.
(Edit to add: Sorry for the delay. The robot strongly hinted a human was not going to review this so I didn't check in.)
Logged in as a user I can reproduce this. There must have gone something wrong during a refactoring.
Fix is ready for 1.10.1 (even though the build currently fails for other reasons).
Confirmed working. Thanks!