API V2: remove write access to superusers (#10498)

We have access to some write operations using a build API token, we no longer need to grant access to superusers.

- All usage of super/staff users have been removed from the API, they have read-only access as any other user now.
- APIRestrictedPermission has been renamed to ReadOnlyPermission, since that's what it checks now.

Author: stsewd

docs/dev/settings.rst

@@ -19,22 +19,6 @@ memory
     Examples: '200m' for 200MB of total memory, or '2g' for 2GB of
     total memory.
 
-SLUMBER_USERNAME
-----------------
-
-.. Don't set this automatically, lest we leak something. We are using the dev
-   settings in the conf.py, but it's probably a good idea to be safe.
-
-The username to use when connecting to the Read the Docs API. Used for hitting the API while building the docs.
-
-SLUMBER_PASSWORD
-----------------
-
-.. Don't set this automatically, lest we leak something. We are using the dev
-   settings in the conf.py, but it's probably a good idea to be safe.
-
-The password to use when connecting to the Read the Docs API. Used for hitting the API while building the docs.
-
 USE_SUBDOMAIN
 ---------------
 

readthedocs/api/v2/permissions.py

@@ -16,28 +16,12 @@ def has_object_permission(self, request, view, obj):
         return request.user in obj.users.all()
 
 
-class APIRestrictedPermission(permissions.BasePermission):
+class ReadOnlyPermission(permissions.BasePermission):
 
-    """
-    Allow admin write, authenticated and anonymous read only.
-
-    This differs from :py:class:`APIPermission` by not allowing for
-    authenticated POSTs. This permission is endpoints like ``/api/v2/build/``,
-    which are used by admin users to coordinate build instance creation, but
-    only should be readable by end users.
-    """
+    """Allow read-only access to authenticated and anonymous users."""
 
     def has_permission(self, request, view):
-        return (
-            request.method in permissions.SAFE_METHODS or
-            (request.user and request.user.is_staff)
-        )
-
-    def has_object_permission(self, request, view, obj):
-        return (
-            request.method in permissions.SAFE_METHODS or
-            (request.user and request.user.is_staff)
-        )
+        return request.method in permissions.SAFE_METHODS
 
 
 class IsAuthorizedToViewVersion(permissions.BasePermission):
@@ -89,6 +73,8 @@ class HasBuildAPIKey(BaseHasAPIKey):
     to avoid having to parse and validate the key again on each view.
     The key is injected in the ``request.build_api_key`` attribute
     only if it's valid, otherwise it's set to ``None``.
+
+    This grants read and write access to the API.
     """
 
     model = BuildAPIKey

readthedocs/api/v2/views/model_views.py

@@ -7,19 +7,14 @@
 from django.core.exceptions import PermissionDenied
 from django.db.models import BooleanField, Case, Value, When
 from django.http import Http404
-from django.shortcuts import get_object_or_404
 from django.template.loader import render_to_string
-from rest_framework import decorators, permissions, status, viewsets
+from rest_framework import decorators, status, viewsets
 from rest_framework.mixins import CreateModelMixin, UpdateModelMixin
 from rest_framework.parsers import JSONParser, MultiPartParser
 from rest_framework.renderers import BaseRenderer, JSONRenderer
 from rest_framework.response import Response
 
-from readthedocs.api.v2.permissions import (
-    APIRestrictedPermission,
-    HasBuildAPIKey,
-    IsOwner,
-)
+from readthedocs.api.v2.permissions import HasBuildAPIKey, IsOwner, ReadOnlyPermission
 from readthedocs.api.v2.utils import normalize_build_command
 from readthedocs.builds.constants import INTERNAL
 from readthedocs.builds.models import Build, BuildCommandResult, Version
@@ -129,18 +124,16 @@ class UserSelectViewSet(viewsets.ReadOnlyModelViewSet):
     View set that varies serializer class based on request user credentials.
 
     Viewsets using this class should have an attribute `admin_serializer_class`,
-    which is a serializer that might have more fields that only admin/staff
-    users require. If the user is staff, this class will be returned instead.
+    which is a serializer that might have more fields that only the builders
+    require. If the request is using a Build API key, this class will be returned instead.
 
     By default read-only endpoints will be allowed,
     to allow write endpoints, inherit from the proper ``rest_framework.mixins.*`` classes.
     """
 
     def get_serializer_class(self):
         try:
-            if (
-                self.request.user.is_staff or self.request.build_api_key
-            ) and self.admin_serializer_class is not None:
+            if self.request.build_api_key and self.admin_serializer_class is not None:
                 return self.admin_serializer_class
         except AttributeError:
             pass
@@ -169,7 +162,7 @@ class ProjectViewSet(DisableListEndpoint, UpdateModelMixin, UserSelectViewSet):
 
     """List, filter, etc, Projects."""
 
-    permission_classes = [HasBuildAPIKey | APIRestrictedPermission]
+    permission_classes = [HasBuildAPIKey | ReadOnlyPermission]
     renderer_classes = (JSONRenderer,)
     serializer_class = ProjectSerializer
     admin_serializer_class = ProjectAdminSerializer
@@ -214,7 +207,7 @@ def get_queryset_for_api_key(self, api_key):
 
 class VersionViewSet(DisableListEndpoint, UpdateModelMixin, UserSelectViewSet):
 
-    permission_classes = [HasBuildAPIKey | APIRestrictedPermission]
+    permission_classes = [HasBuildAPIKey | ReadOnlyPermission]
     renderer_classes = (JSONRenderer,)
     serializer_class = VersionSerializer
     admin_serializer_class = VersionAdminSerializer
@@ -232,7 +225,7 @@ def get_queryset(self):
 
 
 class BuildViewSet(DisableListEndpoint, UpdateModelMixin, UserSelectViewSet):
-    permission_classes = [HasBuildAPIKey | APIRestrictedPermission]
+    permission_classes = [HasBuildAPIKey | ReadOnlyPermission]
     renderer_classes = (JSONRenderer, PlainTextBuildRenderer)
     model = Build
     filterset_fields = ('project__slug', 'commit')
@@ -245,7 +238,7 @@ def get_serializer_class(self):
         pre-process the `command` field before returning it to the user, and we
         also want to have a specific serializer for admins.
         """
-        if self.request.user.is_staff or self.request.build_api_key:
+        if self.request.build_api_key:
             # Logic copied from `UserSelectViewSet.get_serializer_class`
             # and extended to choose serializer from self.action
             if self.action not in ["list", "retrieve"]:
@@ -255,22 +248,20 @@ def get_serializer_class(self):
 
     @decorators.action(
         detail=False,
-        permission_classes=[HasBuildAPIKey | permissions.IsAdminUser],
+        permission_classes=[HasBuildAPIKey],
         methods=['get'],
     )
     def concurrent(self, request, **kwargs):
         project_slug = request.GET.get('project__slug')
         build_api_key = request.build_api_key
-        if build_api_key:
-            if project_slug != build_api_key.project.slug:
-                log.info(
-                    "Project slug doesn't match the one attached to the API key.",
-                    project_slug=project_slug,
-                )
-                raise Http404()
-            project = build_api_key.project
-        else:
-            project = get_object_or_404(Project, slug=project_slug)
+        if project_slug != build_api_key.project.slug:
+            log.warning(
+                "Project slug doesn't match the one attached to the API key.",
+                api_key_id=build_api_key.id,
+                project_slug=project_slug,
+            )
+            raise Http404()
+        project = build_api_key.project
         limit_reached, concurrent, max_concurrent = Build.objects.concurrent(project)
         data = {
             'limit_reached': limit_reached,
@@ -319,7 +310,7 @@ def retrieve(self, *args, **kwargs):
 
     @decorators.action(
         detail=True,
-        permission_classes=[HasBuildAPIKey | permissions.IsAdminUser],
+        permission_classes=[HasBuildAPIKey],
         methods=['post'],
     )
     def reset(self, request, **kwargs):
@@ -334,27 +325,25 @@ def get_queryset_for_api_key(self, api_key):
 
 class BuildCommandViewSet(DisableListEndpoint, CreateModelMixin, UserSelectViewSet):
     parser_classes = [JSONParser, MultiPartParser]
-    permission_classes = [HasBuildAPIKey | APIRestrictedPermission]
+    permission_classes = [HasBuildAPIKey | ReadOnlyPermission]
     renderer_classes = (JSONRenderer,)
     serializer_class = BuildCommandSerializer
     model = BuildCommandResult
 
     def perform_create(self, serializer):
         """Restrict creation to builds attached to the project from the api key."""
         build_pk = serializer.validated_data["build"].pk
-        api_key = self.request.build_api_key
-        if api_key and not api_key.project.builds.filter(pk=build_pk).exists():
+        build_api_key = self.request.build_api_key
+        if not build_api_key.project.builds.filter(pk=build_pk).exists():
             raise PermissionDenied()
-        # If the request isn't attached to a build api key,
-        # the user doing the request is a superuser, so it has access to all projects.
         return super().perform_create(serializer)
 
     def get_queryset_for_api_key(self, api_key):
         return self.model.objects.filter(build__project=api_key.project)
 
 
 class DomainViewSet(DisableListEndpoint, UserSelectViewSet):
-    permission_classes = [APIRestrictedPermission]
+    permission_classes = [ReadOnlyPermission]
     renderer_classes = (JSONRenderer,)
     serializer_class = DomainSerializer
     model = Domain