maykinmedia · annashamray · May 3, 2024 · May 2, 2024 · May 2, 2024 · May 2, 2024
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,7 +1,7 @@
 [bumpversion]
 commit = False
 tag = False
-current_version = 2.3.1
+current_version = 2.3.2
 
 [bumpversion:file:README.rst]
 

diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml
@@ -15,8 +15,9 @@ jobs:
         run: docker-compose -f docker-compose-qs.yml up -d
       - name: Wait until DB container starts
         run: sleep 10
-      - name: Load fixtures
-        run: docker-compose -f docker-compose-qs.yml exec -T web src/manage.py loaddata demodata
+#        TODO uncomment when correct fixtures are uploaded into dockerhub inside docker image
+#      - name: Load fixtures
+#        run: docker-compose -f docker-compose-qs.yml exec -T web src/manage.py loaddata demodata
       - name: Create superuser
         run: docker-compose -f docker-compose-qs.yml exec -T web src/manage.py createsuperuser --username admin --email [email protected] --no-input
       - name: Check main page

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,16 @@
 Change history
 ==============
 
+2.3.2 (2024-05-03)
+------------------
+
+Bugfix release
+
+This release addresses a security weakness.
+
+* [GHSA-3wcp-29hm-g82c] replaced PK for Token model.
+
+
 2.3.1 (2024-03-22)
 ------------------
 

diff --git a/README.NL.rst b/README.NL.rst
@@ -2,7 +2,7 @@
 Objecten API
 ============
 
-:Version: 2.3.1
+:Version: 2.3.2
 :Source: https://github.com/maykinmedia/objecttypes-api
 :Keywords: objecten, assets, zaakobjecten
 
@@ -38,10 +38,10 @@ Versie          Release datum   API specificatie
 ==============  ==============  =============================
 latest          n/a             `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/master/src/objects/api/v2/openapi.yaml>`_,
                                 `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/master/src/objects/api/v2/openapi.yaml>`_,
-                                (`verschillen <https://github.com/maykinmedia/objects-api/compare/2.3.1..master#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
-2.3.1           2024-03-22      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.1/src/objects/api/v2/openapi.yaml>`_,
-                                `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.1/src/objects/api/v2/openapi.yaml>`_
-                                (`verschillen <https://github.com/maykinmedia/objects-api/compare/2.3.0..2.3.1#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
+                                (`verschillen <https://github.com/maykinmedia/objects-api/compare/2.3.2..master#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
+2.3.2           2024-03-22      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.2/src/objects/api/v2/openapi.yaml>`_,
+                                `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.2/src/objects/api/v2/openapi.yaml>`_
+                                (`verschillen <https://github.com/maykinmedia/objects-api/compare/2.3.0..2.3.2#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
 2.3.0           2024-03-15      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.0/src/objects/api/v2/openapi.yaml>`_,
                                 `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.0/src/objects/api/v2/openapi.yaml>`_
                                 (`verschillen <https://github.com/maykinmedia/objects-api/compare/2.2.1..2.3.0#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)

diff --git a/README.rst b/README.rst
@@ -2,7 +2,7 @@
 Objects API
 ===========
 
-:Version: 2.3.1
+:Version: 2.3.2
 :Source: https://github.com/maykinmedia/objects-api
 :Keywords: objects, assets, zaakobjecten
 
@@ -36,10 +36,10 @@ Version         Release date    API specification
 ==============  ==============  =============================
 latest          n/a             `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/master/src/objects/api/v2/openapi.yaml>`_,
                                 `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/master/src/objects/api/v2/openapi.yaml>`_,
-                                (`diff <https://github.com/maykinmedia/objects-api/compare/2.3.1..master#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
-2.3.1           2024-03-22      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.1/src/objects/api/v2/openapi.yaml>`_,
-                                `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.1/src/objects/api/v2/openapi.yaml>`_
-                                (`diff <https://github.com/maykinmedia/objects-api/compare/2.3.0..2.3.1#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
+                                (`diff <https://github.com/maykinmedia/objects-api/compare/2.3.2..master#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
+2.3.2           2024-03-22      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.2/src/objects/api/v2/openapi.yaml>`_,
+                                `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.2/src/objects/api/v2/openapi.yaml>`_
+                                (`diff <https://github.com/maykinmedia/objects-api/compare/2.3.0..2.3.2#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)
 2.3.0           2024-03-15      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.0/src/objects/api/v2/openapi.yaml>`_,
                                 `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.0/src/objects/api/v2/openapi.yaml>`_
                                 (`diff <https://github.com/maykinmedia/objects-api/compare/2.2.1..2.3.0#diff-b9c28fec6c3f3fa5cff870d24601d6ab7027520f3b084cc767aefd258cb8c40a>`_)

diff --git a/docs/api/index.rst b/docs/api/index.rst
@@ -14,9 +14,9 @@ API                     Specification version(s)
                         `Redoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objecttypes-api/2.0.0/src/objecttypes/api/v2/openapi.yaml>`__,
                         `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objecttypes-api/2.0.0/src/objecttypes/api/v2/openapi.yaml>`__
                         )
-`Objects API`_          2.3.1 (
-                        `Redoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.1/src/objects/api/v2/openapi.yaml>`__,
-                        `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.1/src/objects/api/v2/openapi.yaml>`__
+`Objects API`_          2.3.2 (
+                        `Redoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.2/src/objects/api/v2/openapi.yaml>`__,
+                        `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/objects-api/2.3.2/src/objects/api/v2/openapi.yaml>`__
                         )
 ======================  ==========================================
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "objects",
-  "version": "2.3.1",
+  "version": "2.3.2",
   "description": "objects project",
   "main": "src/objects/static/bundles/objects-js.js",
   "directories": {

diff --git a/publiccode.yaml b/publiccode.yaml
@@ -7,7 +7,7 @@ publiccodeYmlVersion: '0.2'
 name: Objects API
 url: 'http://github.com/maykinmedia/objects-api.git'
 softwareType: standalone/backend
-softwareVersion: 2.3.1
+softwareVersion: 2.3.2
 releaseDate: '2021-01-13'
 logo: 'https://github.com/maykinmedia/objects-api/blob/master/docs/logo.png'
 platforms:

diff --git a/src/objects/__init__.py b/src/objects/__init__.py
@@ -1,6 +1,6 @@
 from .celery import app as celery_app
 
 __all__ = ("celery_app",)
-__version__ = "2.3.1"
+__version__ = "2.3.2"
 __author__ = "Maykin Media"
 __homepage__ = "https://github.com/maykinmedia/objects-api"
diff --git a/src/objects/api/v2/openapi.yaml b/src/objects/api/v2/openapi.yaml
@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: Objects API
-  version: 2.3.1 (v2)
+  version: 2.3.2 (v2)
   description: |
     An API to manage Objects.
 

diff --git a/src/objects/conf/api.py b/src/objects/conf/api.py
@@ -1,7 +1,7 @@
 from vng_api_common.conf.api import *  # noqa - imports white-listed
 
-API_VERSION = "2.3.1"
-VERSIONS = {"v1": "1.3.0", "v2": "2.3.1"}
+API_VERSION = "2.3.2"
+VERSIONS = {"v1": "1.3.0", "v2": "2.3.2"}
 
 # api settings
 REST_FRAMEWORK = {

diff --git a/src/objects/fixtures/demodata.json b/src/objects/fixtures/demodata.json
@@ -772,20 +772,21 @@
 },
 {
     "model": "token.tokenauth",
-    "pk": "cd63e158f3aca276ef284e3033d020a22899c728",
+    "pk": 1,
     "fields": {
         "contact_person": "test",
         "email": "[email protected]",
         "organization": "",
         "last_modified": "2020-12-23T11:43:16.820Z",
-        "created": "2020-12-22T16:27:00.751Z"
+        "created": "2020-12-22T16:27:00.751Z",
+        "token": "cd63e158f3aca276ef284e3033d020a22899c728"
     }
 },
 {
     "model": "token.permission",
     "pk": 1,
     "fields": {
-        "token_auth": "cd63e158f3aca276ef284e3033d020a22899c728",
+        "token_auth": 1,
         "object_type": 2,
         "mode": "read_and_write"
     }
@@ -794,7 +795,7 @@
     "model": "token.permission",
     "pk": 2,
     "fields": {
-        "token_auth": "cd63e158f3aca276ef284e3033d020a22899c728",
+        "token_auth": 1,
         "object_type": 1,
         "mode": "read_and_write"
     }

diff --git a/src/objects/token/admin.py b/src/objects/token/admin.py
@@ -103,7 +103,6 @@ def add_view(self, request, form_url="", extra_context=None):
 
 class PermissionInline(EditInlineAdminMixin, admin.TabularInline):
     model = Permission
-    fk_name = "token_auth"
     fields = ("object_type", "mode", "use_fields", "fields")
 
 

diff --git a/src/objects/token/migrations/0011_rename_tokenauth_oldtokenauth_and_more.py b/src/objects/token/migrations/0011_rename_tokenauth_oldtokenauth_and_more.py
@@ -0,0 +1,26 @@
+# Generated by Django 4.2.11 on 2024-05-02 09:14
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0028_alter_objectrecord_data"),
+        ("token", "0009_alter_permission_fields"),
+    ]
+
+    operations = [
+        migrations.RenameModel(
+            old_name="TokenAuth",
+            new_name="OldTokenAuth",
+        ),
+        migrations.RenameField(
+            model_name="permission",
+            old_name="token_auth",
+            new_name="old_token_auth",
+        ),
+        migrations.AlterUniqueTogether(
+            name="permission",
+            unique_together={("old_token_auth", "object_type")},
+        ),
+    ]
diff --git a/src/objects/token/migrations/0012_tokenauth_permission_token_auth.py b/src/objects/token/migrations/0012_tokenauth_permission_token_auth.py
@@ -0,0 +1,110 @@
+# Generated by Django 4.2.11 on 2024-05-02 09:16
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0028_alter_objectrecord_data"),
+        ("token", "0011_rename_tokenauth_oldtokenauth_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="TokenAuth",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("token", models.CharField(max_length=40, verbose_name="token")),
+                (
+                    "contact_person",
+                    models.CharField(
+                        help_text="Name of the person in the organization who can access the API",
+                        max_length=200,
+                        verbose_name="contact person",
+                    ),
+                ),
+                (
+                    "email",
+                    models.EmailField(
+                        help_text="Email of the person, who can access the API",
+                        max_length=254,
+                        verbose_name="email",
+                    ),
+                ),
+                (
+                    "organization",
+                    models.CharField(
+                        blank=True,
+                        help_text="Organization which has access to the API",
+                        max_length=200,
+                        verbose_name="organization",
+                    ),
+                ),
+                (
+                    "last_modified",
+                    models.DateTimeField(
+                        auto_now=True,
+                        help_text="Last date when the token was modified",
+                        verbose_name="last modified",
+                    ),
+                ),
+                (
+                    "created",
+                    models.DateTimeField(
+                        auto_now_add=True,
+                        help_text="Date when the token was created",
+                        verbose_name="created",
+                    ),
+                ),
+                (
+                    "application",
+                    models.CharField(
+                        blank=True,
+                        help_text="Application which has access to the API",
+                        max_length=200,
+                        verbose_name="application",
+                    ),
+                ),
+                (
+                    "administration",
+                    models.CharField(
+                        blank=True,
+                        help_text="Administration which has access to the API",
+                        max_length=200,
+                        verbose_name="administration",
+                    ),
+                ),
+                (
+                    "object_types",
+                    models.ManyToManyField(
+                        help_text="Object types which can be accessed",
+                        through="token.Permission",
+                        to="core.objecttype",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "token authorization",
+                "verbose_name_plural": "token authorizations",
+            },
+        ),
+        migrations.AddField(
+            model_name="permission",
+            name="new_token_auth",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="permissions",
+                to="token.tokenauth",
+            ),
+        ),
+    ]
diff --git a/src/objects/token/migrations/0013_copy_token_auth.py b/src/objects/token/migrations/0013_copy_token_auth.py
@@ -0,0 +1,58 @@
+from django.db import migrations
+
+
+def switch_to_new_token_model(apps, _):
+    OldTokenAuth = apps.get_model("token", "OldTokenAuth")
+    TokenAuth = apps.get_model("token", "TokenAuth")
+
+    for old_token in OldTokenAuth.objects.all():
+        token, created = TokenAuth.objects.get_or_create(
+            token=old_token.token,
+            defaults={
+                "contact_person": old_token.contact_person,
+                "email": old_token.email,
+                "organization": old_token.organization,
+                "last_modified": old_token.last_modified,
+                "created": old_token.created,
+                "application": old_token.application,
+                "administration": old_token.administration,
+            },
+        )
+
+        # add fk relations to new model
+        if created:
+            old_token.permissions.all().update(new_token_auth=token)
+
+
+def switch_to_old_token_model(apps, _):
+    OldTokenAuth = apps.get_model("token", "OldTokenAuth")
+    TokenAuth = apps.get_model("token", "TokenAuth")
+
+    # copy tokens to old model
+    for token in TokenAuth.objects.all():
+        old_token, created = OldTokenAuth.objects.get_or_create(
+            token=token.token,
+            defaults={
+                "contact_person": token.contact_person,
+                "email": token.email,
+                "organization": token.organization,
+                "last_modified": token.last_modified,
+                "created": token.created,
+                "application": token.application,
+                "administration": token.administration,
+            },
+        )
+
+        # add fk relations to old model
+        if created:
+            token.permissions.all().update(old_token_auth=old_token)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("token", "0012_tokenauth_permission_token_auth"),
+    ]
+
+    operations = [
+        migrations.RunPython(switch_to_new_token_model, switch_to_old_token_model),
+    ]