Abort snapshot action if current user is not owner of the
(non-component) device
This commit is contained in:
parent
b0d4e06ac2
commit
8d112c1360
|
@ -2,7 +2,7 @@ from distutils.version import StrictVersion
|
||||||
from typing import List
|
from typing import List
|
||||||
from uuid import UUID
|
from uuid import UUID
|
||||||
|
|
||||||
from flask import current_app as app, request
|
from flask import current_app as app, request, g
|
||||||
from sqlalchemy.util import OrderedSet
|
from sqlalchemy.util import OrderedSet
|
||||||
from teal.marshmallow import ValidationError
|
from teal.marshmallow import ValidationError
|
||||||
from teal.resource import View
|
from teal.resource import View
|
||||||
|
@ -13,6 +13,8 @@ from ereuse_devicehub.resources.action.models import Action, RateComputer, Snaps
|
||||||
from ereuse_devicehub.resources.action.rate.v1_0 import CannotRate
|
from ereuse_devicehub.resources.action.rate.v1_0 import CannotRate
|
||||||
from ereuse_devicehub.resources.device.models import Component, Computer
|
from ereuse_devicehub.resources.device.models import Component, Computer
|
||||||
from ereuse_devicehub.resources.enums import SnapshotSoftware
|
from ereuse_devicehub.resources.enums import SnapshotSoftware
|
||||||
|
from ereuse_devicehub.resources.user.exceptions import InsufficientPermission
|
||||||
|
|
||||||
|
|
||||||
SUPPORTED_WORKBENCH = StrictVersion('11.0')
|
SUPPORTED_WORKBENCH = StrictVersion('11.0')
|
||||||
|
|
||||||
|
@ -56,6 +58,7 @@ class ActionView(View):
|
||||||
# Note that if we set the device / components into the snapshot
|
# Note that if we set the device / components into the snapshot
|
||||||
# model object, when we flush them to the db we will flush
|
# model object, when we flush them to the db we will flush
|
||||||
# snapshot, and we want to wait to flush snapshot at the end
|
# snapshot, and we want to wait to flush snapshot at the end
|
||||||
|
|
||||||
device = snapshot_json.pop('device') # type: Computer
|
device = snapshot_json.pop('device') # type: Computer
|
||||||
components = None
|
components = None
|
||||||
if snapshot_json['software'] == (SnapshotSoftware.Workbench or SnapshotSoftware.WorkbenchAndroid):
|
if snapshot_json['software'] == (SnapshotSoftware.Workbench or SnapshotSoftware.WorkbenchAndroid):
|
||||||
|
@ -73,6 +76,11 @@ class ActionView(View):
|
||||||
assert not device.actions_one
|
assert not device.actions_one
|
||||||
assert all(not c.actions_one for c in components) if components else True
|
assert all(not c.actions_one for c in components) if components else True
|
||||||
db_device, remove_actions = resource_def.sync.run(device, components)
|
db_device, remove_actions = resource_def.sync.run(device, components)
|
||||||
|
|
||||||
|
# Check ownership of (non-component) device to from current.user
|
||||||
|
if(db_device.owner_id != g.user.id):
|
||||||
|
raise InsufficientPermission()
|
||||||
|
|
||||||
del device # Do not use device anymore
|
del device # Do not use device anymore
|
||||||
snapshot.device = db_device
|
snapshot.device = db_device
|
||||||
snapshot.actions |= remove_actions | actions_device # Set actions to snapshot
|
snapshot.actions |= remove_actions | actions_device # Set actions to snapshot
|
||||||
|
|
|
@ -1,5 +1,14 @@
|
||||||
from werkzeug.exceptions import Unauthorized
|
from werkzeug.exceptions import Unauthorized, Forbidden
|
||||||
|
|
||||||
|
|
||||||
class WrongCredentials(Unauthorized):
|
class WrongCredentials(Unauthorized):
|
||||||
description = 'There is not an user with the matching username/password'
|
description = 'There is not an user with the matching username/password'
|
||||||
|
|
||||||
|
|
||||||
|
class InsufficientPermission(Forbidden):
|
||||||
|
|
||||||
|
description = (
|
||||||
|
"You don't have the permissions to access the requested"
|
||||||
|
"resource. It is either read-protected or not readable by the"
|
||||||
|
"server."
|
||||||
|
)
|
||||||
|
|
Reference in a new issue