Security fixes from git

server/src/uds/REST/handlers.py

@@ -36,13 +36,12 @@ import codecs
 from django.contrib.sessions.backends.base import SessionBase
 from django.contrib.sessions.backends.db import SessionStore
 
-from uds.core import consts
+from uds.core import consts, types
 from uds.core.util.config import GlobalConfig
 from uds.core.auths.auth import root_user
 from uds.core.util import net
 from uds.models import Authenticator, User
 from uds.core.managers.crypto import CryptoManager
-from uds.core.util.state import State
 
 from ..core.exceptions.rest import AccessDenied
 
@@ -145,10 +144,9 @@ class Handler:
                 # Maybe the user was deleted, so access is denied
                 raise AccessDenied() from e
         else:
-            # self._user = User()  # Empty user for non authenticated handlers
-            raise AccessDenied()
+            self._user = User()  # Empty user for non authenticated handlers
 
-        if self._user and self._user.state != State.ACTIVE:
+        if self._user and self._user.state != types.states.State.ACTIVE:
             raise AccessDenied()
 
     def headers(self) -> dict[str, str]:

server/src/uds/middleware/request.py

@@ -37,13 +37,12 @@ from django.utils import timezone
 
 from uds.core.util import os_detector as OsDetector
 from uds.core.util.config import GlobalConfig
-from uds.core import consts
+from uds.core import consts, types
 from uds.core.auths.auth import (
     root_user,
     web_logout,
 )
 from uds.models import User
-from uds.core.util.state import State
 
 
 from . import builder
@@ -121,7 +120,7 @@ def _get_user(request: 'ExtendedHttpRequest') -> None:
                 user = User.objects.get(pk=user_id)
         except User.DoesNotExist:
             user = None
-    if user and user.state != State.ACTIVE:
+    if user and user.state != types.states.State.ACTIVE:
         user = None
 
     logger.debug('User at Middleware: %s %s', user_id, user)