fixes #3: basic permissions for update/delete actions

This commit is contained in:
Davide Alberani 2017-01-15 23:24:07 +01:00
parent 0684f927b4
commit a05a6a7ec0

39
ibt2.py
View file

@ -234,17 +234,6 @@ class CollectionHandler(BaseHandler):
del data[key] del data[key]
return data return data
def apply_filter(self, data, filter_name):
"""Apply a filter to the data.
:param data: the data to filter
:returns: the modified (possibly also in place) data
"""
filter_method = getattr(self, 'filter_%s' % filter_name, None)
if filter_method is not None:
data = filter_method(data)
return data
class AttendeesHandler(CollectionHandler): class AttendeesHandler(CollectionHandler):
document = 'attendee' document = 'attendee'
@ -270,7 +259,6 @@ class AttendeesHandler(CollectionHandler):
data['updated_by'] = user_id data['updated_by'] = user_id
data['updated_at'] = now data['updated_at'] = now
doc = self.db.add(self.collection, data) doc = self.db.add(self.collection, data)
doc = self.apply_filter(doc, 'create')
self.write(doc) self.write(doc)
@gen.coroutine @gen.coroutine
@ -279,22 +267,35 @@ class AttendeesHandler(CollectionHandler):
self._clean_dict(data) self._clean_dict(data)
if '_id' in data: if '_id' in data:
del data['_id'] del data['_id']
doc = self.db.getOne(self.collection, {'_id': id_}) or {}
owner_id = doc.get('created_by')
user_info = self.current_user_info user_info = self.current_user_info
if not doc:
return self.build_error(status=404, message='unable to access the resource')
if (owner_id and str(self.current_user_info.get('_id')) != str(owner_id) and not
self.current_user_info.get('isAdmin')):
return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
user_id = user_info.get('_id') user_id = user_info.get('_id')
now = datetime.datetime.now() now = datetime.datetime.now()
data['updated_by'] = user_id data['updated_by'] = user_id
data['updated_at'] = now data['updated_at'] = now
merged, doc = self.db.update(self.collection, {'_id': id_}, data) merged, doc = self.db.update(self.collection, {'_id': id_}, data)
doc = self.apply_filter(doc, 'update')
self.write(doc) self.write(doc)
@gen.coroutine @gen.coroutine
def delete(self, id_=None, **kwargs): def delete(self, id_=None, **kwargs):
if id_ is not None: if id_ is None:
howMany = self.db.delete(self.collection, id_)
self.write({'success': True, 'deleted entries': howMany.get('n')})
else:
self.write({'success': False}) self.write({'success': False})
return
doc = self.db.getOne(self.collection, {'_id': id_}) or {}
owner_id = doc.get('created_by')
if not doc:
return self.build_error(status=404, message='unable to access the resource')
if (owner_id and str(self.current_user_info.get('_id')) != str(owner_id) and not
self.current_user_info.get('isAdmin')):
return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
howMany = self.db.delete(self.collection, id_)
self.write({'success': True, 'deleted entries': howMany.get('n')})
class DaysHandler(CollectionHandler): class DaysHandler(CollectionHandler):
@ -423,7 +424,7 @@ class UsersHandler(CollectionHandler):
# Avoid overriding _id # Avoid overriding _id
del data['_id'] del data['_id']
if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'): if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'):
return self.build_error(status=401, message='insufficient permissions: current user') return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
merged, doc = self.db.update(self.collection, {'_id': id_}, data) merged, doc = self.db.update(self.collection, {'_id': id_}, data)
self.write(doc) self.write(doc)
@ -432,7 +433,7 @@ class UsersHandler(CollectionHandler):
if id_ is None: if id_ is None:
return self.build_error(status=404, message='unable to access the resource') return self.build_error(status=404, message='unable to access the resource')
if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'): if str(self.current_user_info.get('_id')) != id_ and not self.current_user_info.get('isAdmin'):
return self.build_error(status=401, message='insufficient permissions: current user') return self.build_error(status=401, message='insufficient permissions: must be the owner or admin')
if id_ in self._users_cache: if id_ in self._users_cache:
del self._users_cache[id_] del self._users_cache[id_]
howMany = self.db.delete(self.collection, id_) howMany = self.db.delete(self.collection, id_)