linuxfoundation · lukaszgryglicki · Jun 4, 2025 · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025
diff --git a/cla-backend-go/users/handlers.go b/cla-backend-go/users/handlers.go
@@ -257,8 +257,8 @@ func Configure(api *operations.ClaAPI, service Service, eventsService events.Ser
 		}
 
 		userModel, err := service.GetUser(params.UserID)
-		if err != nil {
-			log.WithFields(f).Warnf("error retrieving user for user_id: %s, error: %+v", params.UserID, err)
+		if err != nil || userModel == nil {
+			log.WithFields(f).Warnf("error retrieving user for user_id: %s, error: %+v, userModel is nil: %v", params.UserID, err, userModel == nil)
 			return users.NewGetUserCompatBadRequest().WithPayload(errorResponse(err))
 		}
 

diff --git a/cla-backend/cla/routes.py b/cla-backend/cla/routes.py
@@ -38,6 +38,14 @@
     get_log_middleware
 )
 
+# Check if authenticated user (via bearer token) is the same as user_id - if not raise exception permission denied
+# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
-# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
+# LG: comment this out to turn off this check added after LFID is required everywhere in EasyCLA
-# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
+# LG: comment this out to turn off this check added after LFID is required everywhere in EasyCLA
+def check_user_id_is_current(auth_user, user_id):
+    auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
+    if str(user_id) != auth_user_id:
+        cla.log.debug(f'request_individual_signature - auth user UUID {auth_user_id} is not the same as requested signature UUID {str(user_id)}')
+        raise cla.auth.AuthError('permission denied')
-# Check if authenticated user (via bearer token) is the same as user_id - if not raise exception permission denied
-# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
-def check_user_id_is_current(auth_user, user_id):
-    auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
-    if str(user_id) != auth_user_id:
-        cla.log.debug(f'request_individual_signature - auth user UUID {auth_user_id} is not the same as requested signature UUID {str(user_id)}')
-        raise cla.auth.AuthError('permission denied')
+# Check if authenticated user (via bearer token) is the same as user_id - if not raise permission denied exception
+# LG: comment this out to turn off this check added after LFID is required everywhere in EasyCLA
+def check_user_id_is_current(auth_user, user_id):
+    auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
+    if str(user_id) != auth_user_id:
+        cla.log.debug(f'check_user_id_is_current - auth user UUID {auth_user_id} is not the same as requested user UUID {str(user_id)}')
+        raise cla.auth.AuthError('permission denied')
-# Check if authenticated user (via bearer token) is the same as user_id - if not raise exception permission denied
-# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
-def check_user_id_is_current(auth_user, user_id):
-    auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
-    if str(user_id) != auth_user_id:
-        cla.log.debug(f'request_individual_signature - auth user UUID {auth_user_id} is not the same as requested signature UUID {str(user_id)}')
-        raise cla.auth.AuthError('permission denied')
+# Check if authenticated user (via bearer token) is the same as user_id - if not raise permission denied exception
+# LG: comment this out to turn off this check added after LFID is required everywhere in EasyCLA
+def check_user_id_is_current(auth_user, user_id):
+    auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
+    if str(user_id) != auth_user_id:
+        cla.log.debug(f'check_user_id_is_current - auth user UUID {auth_user_id} is not the same as requested user UUID {str(user_id)}')
+        raise cla.auth.AuthError('permission denied')
+
 
 #
 # Middleware
@@ -103,7 +111,10 @@ def get_health(request):
 
 # LG: This is ported to golang and no longer used in dev (still used in prod)
 @hug.get("/user/{user_id}", versions=2)
-def get_user(user_id: hug.types.uuid):
+def get_user(
+        auth_user: check_auth,
+        user_id: hug.types.uuid
+):
     """
     GET: /user/{user_id}
 
@@ -118,6 +129,7 @@ def get_user(user_id: hug.types.uuid):
     #     else:
     #         raise auth_err
 
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.get_user(user_id=user_id)
 
 
@@ -139,6 +151,7 @@ def get_user_signatures(auth_user: check_auth, user_id: hug.types.uuid):
 
     Returns a list of signatures associated with a user.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.get_user_signatures(user_id)
 
 
@@ -156,6 +169,7 @@ def get_users_company(auth_user: check_auth, user_company_id: hug.types.uuid):
 # We can't change API URL to be inclusive yet as this would break all consumers and require acs-cli and lfx-gateway updates
 @hug.post("/user/{user_id}/request-company-whitelist/{company_id}", versions=2)
 def request_company_allowlist(
+        auth_user: check_auth,
         user_id: hug.types.uuid,
         company_id: hug.types.uuid,
         user_name: hug.types.text,
@@ -173,6 +187,7 @@ def request_company_allowlist(
     Performs the necessary actions (ie: send email to manager) when the specified user requests to
     be added the the specified company's allowlist.
     """
+    # check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.request_company_allowlist(
         user_id, str(company_id), str(user_name), str(user_email), str(project_id), message,
         str(recipient_name), str(recipient_email),
@@ -181,6 +196,7 @@ def request_company_allowlist(
 
 @hug.post("/user/{user_id}/invite-company-admin", versions=2)
 def invite_company_admin(
+        auth_user: check_auth,
         user_id: hug.types.uuid,
         contributor_name: hug.types.text,
         contributor_email: cla.hug_types.email,
@@ -203,6 +219,7 @@ def invite_company_admin(
 
     Sends an Email to the prospective CLA Manager to sign up through the ccla console.
     """
+    # check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.invite_cla_manager(
         str(user_id), str(contributor_name), str(contributor_email),
         str(cla_manager_name), str(cla_manager_email),
@@ -212,6 +229,7 @@ def invite_company_admin(
 
 @hug.post("/user/{user_id}/request-company-ccla", versions=2)
 def request_company_ccla(
+        auth_user: check_auth,
         user_id: hug.types.uuid, user_email: cla.hug_types.email, company_id: hug.types.uuid,
         project_id: hug.types.uuid,
 ):
@@ -220,6 +238,7 @@ def request_company_ccla(
 
     Sends an Email to an admin of an existing company to sign a CCLA.
     """
+    # check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.request_company_ccla(str(user_id), str(user_email), str(company_id), str(project_id))
 
 
@@ -236,7 +255,10 @@ def request_company_ccla(
 
 # LG: This is ported to golang and no longer used in dev (still used in prod)
 @hug.get("/user/{user_id}/active-signature", versions=2)
-def get_user_active_signature(user_id: hug.types.uuid):
+def get_user_active_signature(
+        auth_user: check_auth,
+        user_id: hug.types.uuid
+):
     """
     GET: /user/{user_id}/active-signature
 
@@ -250,28 +272,35 @@ def get_user_active_signature(user_id: hug.types.uuid):
 
     Returns null if the user does not have an active signature.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.get_active_signature(user_id)
 
 
 @hug.get("/user/{user_id}/project/{project_id}/last-signature", versions=2)
-def get_user_project_last_signature(user_id: hug.types.uuid, project_id: hug.types.uuid):
+def get_user_project_last_signature(
+        auth_user: check_auth,
+        user_id: hug.types.uuid, project_id: hug.types.uuid
+):
     """
     GET: /user/{user_id}/project/{project_id}/last-signature
 
     Returns the user's latest ICLA signature for the project specified.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.get_user_project_last_signature(user_id, project_id)
 
 
 @hug.get("/user/{user_id}/project/{project_id}/last-signature/{company_id}", versions=1)
 def get_user_project_company_last_signature(
+        auth_user: check_auth,
         user_id: hug.types.uuid, project_id: hug.types.uuid, company_id: hug.types.uuid
 ):
     """
     GET: /user/{user_id}/project/{project_id}/last-signature/{company_id}
 
     Returns the user's latest employee signature for the project and company specified.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.user.get_user_project_company_last_signature(user_id, project_id, company_id)
 
 
@@ -413,6 +442,7 @@ def get_signatures_user(auth_user: check_auth, user_id: hug.types.uuid):
 
     Get all signatures for user specified.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.signature.get_user_signatures(user_id)
 
 
@@ -423,6 +453,7 @@ def get_signatures_user_project(auth_user: check_auth, user_id: hug.types.uuid,
 
     Get all signatures for user, filtered by project_id specified.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.signature.get_user_project_signatures(user_id, project_id)
 
 
@@ -438,6 +469,7 @@ def get_signatures_user_project(
 
     Get all signatures for user, filtered by project_id and signature type specified.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.signature.get_user_project_signatures(user_id, project_id, signature_type)
 
 
@@ -462,7 +494,7 @@ def get_signatures_project(auth_user: check_auth, project_id: hug.types.uuid):
 
 
 @hug.get("/signatures/company/{company_id}/project/{project_id}", versions=1)
-def get_signatures_project_company(company_id: hug.types.uuid, project_id: hug.types.uuid):
+def get_signatures_project_company(auth_user: check_auth, company_id: hug.types.uuid, project_id: hug.types.uuid):
     """
      GET: /signatures/company/{company_id}/project/{project_id}
 
@@ -472,7 +504,7 @@ def get_signatures_project_company(company_id: hug.types.uuid, project_id: hug.t
 
 
 @hug.get("/signatures/company/{company_id}/project/{project_id}/employee", versions=1)
-def get_project_employee_signatures(company_id: hug.types.uuid, project_id: hug.types.uuid):
+def get_project_employee_signatures(auth_user: check_auth, company_id: hug.types.uuid, project_id: hug.types.uuid):
     """
      GET: /signatures/company/{company_id}/project/{project_id}
 
@@ -625,7 +657,7 @@ def get_companies(auth_user: check_auth):
 
 
 @hug.get("/company", versions=2)
-def get_all_companies():
+def get_all_companies(auth_user: check_auth):
     """
     GET: /company
 
@@ -635,7 +667,7 @@ def get_all_companies():
 
 
 @hug.get("/company/{company_id}", versions=2)
-def get_company(company_id: hug.types.text):
+def get_company(auth_user: check_auth, company_id: hug.types.text):
     """
     GET: /company/{company_id}
 
@@ -645,7 +677,7 @@ def get_company(company_id: hug.types.text):
 
 
 @hug.get("/company/{company_id}/project/unsigned", versions=1)
-def get_unsigned_projects_for_company(company_id: hug.types.text):
+def get_unsigned_projects_for_company(auth_user: check_auth, company_id: hug.types.text):
     """
     GET: /company/{company_id}/project/unsigned
 
@@ -751,7 +783,7 @@ def put_company_allowlist_csv(body, auth_user: check_auth, company_id: hug.types
 
 
 @hug.get("/companies/{manager_id}", version=1)
-def get_manager_companies(manager_id: hug.types.uuid):
+def get_manager_companies(auth_user: check_auth, manager_id: hug.types.uuid):
     """
     GET: /companies/{manager_id}
 
@@ -780,7 +812,7 @@ def get_projects(auth_user: check_auth):
 
 # LG: This is ported to golang and no longer used in dev (still used in prod).
 @hug.get("/project/{project_id}", versions=2)
-def get_project(project_id: hug.types.uuid):
+def get_project(auth_user: check_auth, project_id: hug.types.uuid):
     """
     GET: /project/{project_id}
 
@@ -1015,6 +1047,7 @@ def get_project_configuration_orgs_and_repos(auth_user: check_auth, project_id:
 
 @hug.get("/project/{project_id}/document/{document_type}", versions=2)
 def get_project_document(
+        auth_user: check_auth,
         project_id: hug.types.uuid, document_type: hug.types.one_of(["individual", "corporate"]),
 ):
     """
@@ -1067,7 +1100,7 @@ def get_project_document_matching_version(
 
 
 @hug.get("/project/{project_id}/companies", versions=2)
-def get_project_companies(project_id: hug.types.uuid):
+def get_project_companies(auth_user: check_auth, project_id: hug.types.uuid):
     """
     GET: /project/{project_id}/companies
 s
@@ -1217,7 +1250,7 @@ def delete_project_document(
                         'user_id': 'some-user-uuid'}",
 )
 def request_individual_signature(
-        request, project_id: hug.types.uuid, user_id: hug.types.uuid, return_url_type=None, return_url=None,
+        auth_user: check_auth, request, project_id: hug.types.uuid, user_id: hug.types.uuid, return_url_type=None, return_url=None,
 ):
     """
     POST: /request-individual-signature
@@ -1240,8 +1273,10 @@ def request_individual_signature(
     User should hit the provided URL to initiate the signing process through the
     signing service provider.
     """
-    return cla.controllers.signing.request_individual_signature(project_id, user_id, return_url_type, return_url,
-                                                                request=request)
+    check_user_id_is_current(auth_user, user_id)
+    return cla.controllers.signing.request_individual_signature(
+        project_id, user_id, return_url_type, return_url, request=request
+    )
 
 
 @hug.post(
@@ -1287,7 +1322,7 @@ def request_corporate_signature(
 
     Returns a dict of the format:
 
-        {'company_id': <user_id>,
+        {'company_id': <company_id>,
          'signature_id': <signature_id>,
          'project_id': <project_id>,
          'sign_url': <sign_url>}
@@ -1311,6 +1346,7 @@ def request_corporate_signature(
 
 @hug.post("/request-employee-signature", versions=2)
 def request_employee_signature(
+        auth_user: check_auth,
         project_id: hug.types.uuid,
         company_id: hug.types.uuid,
         user_id: hug.types.uuid,
@@ -1330,13 +1366,15 @@ def request_employee_signature(
     require a full DocuSign signature process, which means the sign/callback URLs and document
     versions may not be populated or reliable.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.signing.request_employee_signature(
         project_id, company_id, user_id, return_url_type, return_url
     )
 
 
 @hug.post("/check-prepare-employee-signature", versions=2)
 def check_and_prepare_employee_signature(
+        auth_user: check_auth,
         project_id: hug.types.uuid, company_id: hug.types.uuid, user_id: hug.types.uuid
 ):
     """
@@ -1349,6 +1387,7 @@ def check_and_prepare_employee_signature(
 
     Checks if an employee is ready to sign a CCLA for a company.
     """
+    check_user_id_is_current(auth_user, user_id)
     return cla.controllers.signing.check_and_prepare_employee_signature(project_id, company_id, user_id)
 
 
@@ -1390,6 +1429,7 @@ def post_individual_signed_gitlab(
     Callback URL from signing service upon ICLA signature for a Gitlab user.
     """
     content = body.read()
+    # check_user_id_is_current(auth_user, user_id)
     return cla.controllers.signing.post_individual_signed_gitlab(
         content, user_id, organization_id, gitlab_repository_id, merge_request_id
     )
@@ -1403,6 +1443,7 @@ def post_individual_signed_gerrit(body, user_id: hug.types.uuid):
     Callback URL from signing service upon ICLA signature for a Gerrit user.
     """
     content = body.read()
+    # check_user_id_is_current(auth_user, user_id)
     return cla.controllers.signing.post_individual_signed_gerrit(content, user_id)