Providing an API-key from user prevents access to public scenarios on ` /api/v3/scenarios` when copying a scenario

thesethtruth commented 2 months ago

Current behavior

No token or invalid token is accepted to copy a public scenario ✅
Personal token/API-key that is not the same as the public scenario's 'creator/owner' does not work :x:

Exp. 1 - using example YOUR_TOKEN as auth (so not a valid key) ✅

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
    "Authorization": "Bearer YOUR_TOKEN"
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
>> 200
>> 'OK'

Exp. 2 - without auth ✅

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
>> 200
>> 'OK'

Exp. 3 - with actually existing API key (but not of scenario owner) :x:

import requests

url = "https://engine.energytransitionmodel.com/api/v3/scenarios"
headers = {
    "Accept": "application/json",
    "Authorization": "Bearer <VALID_KEY>"
}
data = {
    "scenario": {
        "scenario_id": "1234"
    }
}
print(response.status_code)
print(response.reason)
print(response.json()['errors'])
>> 403
>> 'Forbidden' 
>> ['Scenario does not belong to you']

Expected behaviour

Regardless of the Auth bearer I want to be able to copy public scenarios.

noracato commented 2 months ago

Thanks @thesethtruth for your issue! I'll put it on our dev backlog

github-actions[bot] commented 3 days ago

This issue has had no activity for 60 days and will be closed in 7 days. Removing the "Stale" label or posting a comment will prevent it from being closed automatically. You can also add the "Pinned" label to ensure it isn't marked as stale in the future.

quintel / etengine