fixes #3: basic permissions for update/delete actions
This commit is contained in:
parent
0684f927b4
commit
a05a6a7ec0
1 changed files with 20 additions and 19 deletions
37
ibt2.py
37
ibt2.py
|
@ -234,17 +234,6 @@ class CollectionHandler(BaseHandler):
|
||||||
del data[key]
|
del data[key]
|
||||||
return data
|
return data
|
||||||
|
|
||||||
def apply_filter(self, data, filter_name):
|
|
||||||
"""Apply a filter to the data.
|
|
||||||
|
|
||||||
:param data: the data to filter
|
|
||||||
:returns: the modified (possibly also in place) data
|
|
||||||
"""
|
|
||||||
filter_method = getattr(self, 'filter_%s' % filter_name, None)
|
|
||||||
if filter_method is not None:
|
|
||||||
data = filter_method(data)
|
|
||||||
return data
|
|
||||||
|
|
||||||
|
|
||||||
class AttendeesHandler(CollectionHandler):
|
class AttendeesHandler(CollectionHandler):
|
||||||
document = 'attendee'
|
document = 'attendee'
|
||||||
|
@ -270,7 +259,6 @@ class AttendeesHandler(CollectionHandler):
|
||||||
data['updated_by'] = user_id
|
data['updated_by'] = user_id
|
||||||
data['updated_at'] = now
|
data['updated_at'] = now
|
||||||
doc = self.db.add(self.collection, data)
|
doc = self.db.add(self.collection, data)
|
||||||
doc = self.apply_filter(doc, 'create')
|
|
||||||
self.write(doc)
|
self.write(doc)
|
||||||
|
|
||||||
@gen.coroutine
|
@gen.coroutine
|
||||||
|
@ -279,22 +267,35 @@ class AttendeesHandler(CollectionHandler):
|
||||||
self._clean_dict(data)
|
self._clean_dict(data)
|
||||||
if '_id' in data:
|
if '_id' in data:
|
||||||
del data['_id']
|
del data['_id']
|
||||||
|
doc = self.db.getOne(self.collection, {'_id': id_}) or {}
|
||||||
|
owner_id = doc.get('created_by')
|
||||||
user_info = self.current_user_info
|
user_info = self.current_user_info
|
||||||
|
if not doc:
|
||||||
|
return self.build_error(status=404, message='unable to access the resource')
|
||||||
|
if (owner_id and str(self.current_user_info.get('_id')) != str(owner_id) and not
|
||||||
|
self.current_user_info.get('isAdmin')):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
|
||||||
user_id = user_info.get('_id')
|
user_id = user_info.get('_id')
|
||||||
now = datetime.datetime.now()
|
now = datetime.datetime.now()
|
||||||
data['updated_by'] = user_id
|
data['updated_by'] = user_id
|
||||||
data['updated_at'] = now
|
data['updated_at'] = now
|
||||||
merged, doc = self.db.update(self.collection, {'_id': id_}, data)
|
merged, doc = self.db.update(self.collection, {'_id': id_}, data)
|
||||||
doc = self.apply_filter(doc, 'update')
|
|
||||||
self.write(doc)
|
self.write(doc)
|
||||||
|
|
||||||
@gen.coroutine
|
@gen.coroutine
|
||||||
def delete(self, id_=None, **kwargs):
|
def delete(self, id_=None, **kwargs):
|
||||||
if id_ is not None:
|
if id_ is None:
|
||||||
|
self.write({'success': False})
|
||||||
|
return
|
||||||
|
doc = self.db.getOne(self.collection, {'_id': id_}) or {}
|
||||||
|
owner_id = doc.get('created_by')
|
||||||
|
if not doc:
|
||||||
|
return self.build_error(status=404, message='unable to access the resource')
|
||||||
|
if (owner_id and str(self.current_user_info.get('_id')) != str(owner_id) and not
|
||||||
|
self.current_user_info.get('isAdmin')):
|
||||||
|
return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
|
||||||
howMany = self.db.delete(self.collection, id_)
|
howMany = self.db.delete(self.collection, id_)
|
||||||
self.write({'success': True, 'deleted entries': howMany.get('n')})
|
self.write({'success': True, 'deleted entries': howMany.get('n')})
|
||||||
else:
|
|
||||||
self.write({'success': False})
|
|
||||||
|
|
||||||
|
|
||||||
class DaysHandler(CollectionHandler):
|
class DaysHandler(CollectionHandler):
|
||||||
|
@ -423,7 +424,7 @@ class UsersHandler(CollectionHandler):
|
||||||
# Avoid overriding _id
|
# Avoid overriding _id
|
||||||
del data['_id']
|
del data['_id']
|
||||||
if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'):
|
if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'):
|
||||||
return self.build_error(status=401, message='insufficient permissions: current user')
|
return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
|
||||||
merged, doc = self.db.update(self.collection, {'_id': id_}, data)
|
merged, doc = self.db.update(self.collection, {'_id': id_}, data)
|
||||||
self.write(doc)
|
self.write(doc)
|
||||||
|
|
||||||
|
@ -432,7 +433,7 @@ class UsersHandler(CollectionHandler):
|
||||||
if id_ is None:
|
if id_ is None:
|
||||||
return self.build_error(status=404, message='unable to access the resource')
|
return self.build_error(status=404, message='unable to access the resource')
|
||||||
if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'):
|
if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'):
|
||||||
return self.build_error(status=401, message='insufficient permissions: current user')
|
return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
|
||||||
if id_ in self._users_cache:
|
if id_ in self._users_cache:
|
||||||
del self._users_cache[id_]
|
del self._users_cache[id_]
|
||||||
howMany = self.db.delete(self.collection, id_)
|
howMany = self.db.delete(self.collection, id_)
|
||||||
|
|
Loading…
Reference in a new issue