From 8d112c13609967a6d7a6d0123fb7d51d8631c448 Mon Sep 17 00:00:00 2001 From: yiorgos marinellis Date: Wed, 13 May 2020 19:52:09 +0200 Subject: [PATCH] Abort snapshot action if current user is not owner of the (non-component) device --- ereuse_devicehub/resources/action/views.py | 10 +++++++++- ereuse_devicehub/resources/user/exceptions.py | 11 ++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ereuse_devicehub/resources/action/views.py b/ereuse_devicehub/resources/action/views.py index 0c098352..5c2ea0f5 100644 --- a/ereuse_devicehub/resources/action/views.py +++ b/ereuse_devicehub/resources/action/views.py @@ -2,7 +2,7 @@ from distutils.version import StrictVersion from typing import List from uuid import UUID -from flask import current_app as app, request +from flask import current_app as app, request, g from sqlalchemy.util import OrderedSet from teal.marshmallow import ValidationError from teal.resource import View @@ -13,6 +13,8 @@ from ereuse_devicehub.resources.action.models import Action, RateComputer, Snaps from ereuse_devicehub.resources.action.rate.v1_0 import CannotRate from ereuse_devicehub.resources.device.models import Component, Computer from ereuse_devicehub.resources.enums import SnapshotSoftware +from ereuse_devicehub.resources.user.exceptions import InsufficientPermission + SUPPORTED_WORKBENCH = StrictVersion('11.0') @@ -56,6 +58,7 @@ class ActionView(View): # Note that if we set the device / components into the snapshot # model object, when we flush them to the db we will flush # snapshot, and we want to wait to flush snapshot at the end + device = snapshot_json.pop('device') # type: Computer components = None if snapshot_json['software'] == (SnapshotSoftware.Workbench or SnapshotSoftware.WorkbenchAndroid): @@ -73,6 +76,11 @@ class ActionView(View): assert not device.actions_one assert all(not c.actions_one for c in components) if components else True db_device, remove_actions = resource_def.sync.run(device, components) + + # Check ownership of (non-component) device to from current.user + if(db_device.owner_id != g.user.id): + raise InsufficientPermission() + del device # Do not use device anymore snapshot.device = db_device snapshot.actions |= remove_actions | actions_device # Set actions to snapshot diff --git a/ereuse_devicehub/resources/user/exceptions.py b/ereuse_devicehub/resources/user/exceptions.py index 2c16e000..bc50cdc6 100644 --- a/ereuse_devicehub/resources/user/exceptions.py +++ b/ereuse_devicehub/resources/user/exceptions.py @@ -1,5 +1,14 @@ -from werkzeug.exceptions import Unauthorized +from werkzeug.exceptions import Unauthorized, Forbidden class WrongCredentials(Unauthorized): description = 'There is not an user with the matching username/password' + + +class InsufficientPermission(Forbidden): + + description = ( + "You don't have the permissions to access the requested" + "resource. It is either read-protected or not readable by the" + "server." + )