(fix) Fix - don't allow viewer roles to create virtual keys (#6764)

* fix ui route permissions * fix test_is_ui_route_allowed * fix test_is_ui_route_allowed * test_user_role_permissions
2024-11-15 18:02:13 -08:00 · 2024-11-15 18:02:13 -08:00 · 6d2ee70a9a
commit 6d2ee70a9a
parent 9ba8f40bd1
6 changed files with 148 additions and 42 deletions
--- a/tests/local_testing/test_user_api_key_auth.py
+++ b/tests/local_testing/test_user_api_key_auth.py
@ -305,14 +305,14 @@ async def test_auth_with_allowed_routes(route, should_raise_error):
    [
        # Proxy Admin checks
        ("/global/spend/logs", "proxy_admin", True),
-        ("/key/delete", "proxy_admin", True),
-        ("/key/generate", "proxy_admin", True),
-        ("/key/regenerate", "proxy_admin", True),
+        ("/key/delete", "proxy_admin", False),
+        ("/key/generate", "proxy_admin", False),
+        ("/key/regenerate", "proxy_admin", False),
        # Internal User checks - allowed routes
        ("/global/spend/logs", "internal_user", True),
-        ("/key/delete", "internal_user", True),
-        ("/key/generate", "internal_user", True),
-        ("/key/82akk800000000jjsk/regenerate", "internal_user", True),
+        ("/key/delete", "internal_user", False),
+        ("/key/generate", "internal_user", False),
+        ("/key/82akk800000000jjsk/regenerate", "internal_user", False),
        # Internal User Viewer
        ("/key/generate", "internal_user_viewer", False),
        # Internal User checks - disallowed routes
@ -320,7 +320,7 @@ async def test_auth_with_allowed_routes(route, should_raise_error):
    ],
 )
 def test_is_ui_route_allowed(route, user_role, expected_result):
-    from litellm.proxy.auth.user_api_key_auth import _is_ui_route_allowed
+    from litellm.proxy.auth.user_api_key_auth import _is_ui_route
    from litellm.proxy._types import LiteLLM_UserTable

    user_obj = LiteLLM_UserTable(
@ -342,7 +342,7 @@ def test_is_ui_route_allowed(route, user_role, expected_result):
        "user_obj": user_obj,
    }
    try:
-        assert _is_ui_route_allowed(**received_args) == expected_result
+        assert _is_ui_route(**received_args) == expected_result
    except Exception as e:
        # If expected result is False, we expect an error
        if expected_result is False: