The below code shows that the X-Press-Team header is used to set the team on the server in preference to all other values.
If this is invalid the code returns a PermissionError, HTTP code 403.
This could potentially be used to search for other teams.
I would suggest an AuthenticationError (HTTP 401) might be better, which I believe forces a logout?
Mitigated by the check that the user is part of the team.
I observed strange behaviour when using an old cookie with an invalid team id stored.
BreadGenie
commented
1 month ago
The below code shows that the
X-Press-Teamheader is used to set the team on the server in preference to all other values.If this is invalid the code returns a
PermissionError, HTTP code 403. This could potentially be used to search for other teams.I would suggest an
AuthenticationError(HTTP 401) might be better, which I believe forces a logout? Mitigated by the check that the user is part of the team.I observed strange behaviour when using an old cookie with an invalid team id stored.
https://github.com/frappe/press/blob/c9278fdde936e09d4479c0376441312ebf218a19/press/utils/__init__.py#L115-L147