api.pubsub: only let users listen for their own subscriptions

Signed-off-by: Ricardo Cañuelo <[email protected]>
JenySadadia · Dec 14, 2023 · 7643078 · 7643078
1 parent 8c925e7
commit 7643078
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/api/main.py b/api/main.py
@@ -644,7 +644,7 @@ async def unsubscribe(sub_id: int, user: User = Depends(get_current_user)):
 async def listen(sub_id: int, user: User = Depends(get_current_user)):
     """Listen messages from a subscribed Pub/Sub channel"""
     try:
-        return await pubsub.listen(sub_id)
+        return await pubsub.listen(sub_id, user.username)
     except KeyError as error:
         raise HTTPException(
             status_code=status.HTTP_404_NOT_FOUND,

diff --git a/api/pubsub.py b/api/pubsub.py
@@ -125,7 +125,7 @@ async def unsubscribe(self, sub_id, user=None):
             self._update_channels()
             await sub['redis_sub'].unsubscribe()
 
-    async def listen(self, sub_id):
+    async def listen(self, sub_id, user=None):
         """Listen for Pub/Sub messages
 
         Listen on a given subscription id asynchronously and return a message
@@ -134,6 +134,12 @@ async def listen(self, sub_id):
         async with self._lock:
             sub = self._subscriptions[sub_id]
 
+        # Only allow a user to listen to its own subscriptions. One
+        # exception: let an anonymous (internal) call to this function
+        # to listen to any subscription
+        if user and user != sub['sub'].user:
+            raise RuntimeError(f"Subscription {sub_id} "
+                               f"not owned by {user}")
         while True:
             msg = await sub['redis_sub'].get_message(
                 ignore_subscribe_messages=True, timeout=1.0