Abort snapshot action if current user is not owner of the

(non-component) device
This commit is contained in:
yiorgos marinellis 2020-05-13 19:52:09 +02:00 committed by fedjo
parent b0d4e06ac2
commit 8d112c1360
2 changed files with 19 additions and 2 deletions

View file

@ -2,7 +2,7 @@ from distutils.version import StrictVersion
from typing import List from typing import List
from uuid import UUID from uuid import UUID
from flask import current_app as app, request from flask import current_app as app, request, g
from sqlalchemy.util import OrderedSet from sqlalchemy.util import OrderedSet
from teal.marshmallow import ValidationError from teal.marshmallow import ValidationError
from teal.resource import View from teal.resource import View
@ -13,6 +13,8 @@ from ereuse_devicehub.resources.action.models import Action, RateComputer, Snaps
from ereuse_devicehub.resources.action.rate.v1_0 import CannotRate from ereuse_devicehub.resources.action.rate.v1_0 import CannotRate
from ereuse_devicehub.resources.device.models import Component, Computer from ereuse_devicehub.resources.device.models import Component, Computer
from ereuse_devicehub.resources.enums import SnapshotSoftware from ereuse_devicehub.resources.enums import SnapshotSoftware
from ereuse_devicehub.resources.user.exceptions import InsufficientPermission
SUPPORTED_WORKBENCH = StrictVersion('11.0') SUPPORTED_WORKBENCH = StrictVersion('11.0')
@ -56,6 +58,7 @@ class ActionView(View):
# Note that if we set the device / components into the snapshot # Note that if we set the device / components into the snapshot
# model object, when we flush them to the db we will flush # model object, when we flush them to the db we will flush
# snapshot, and we want to wait to flush snapshot at the end # snapshot, and we want to wait to flush snapshot at the end
device = snapshot_json.pop('device') # type: Computer device = snapshot_json.pop('device') # type: Computer
components = None components = None
if snapshot_json['software'] == (SnapshotSoftware.Workbench or SnapshotSoftware.WorkbenchAndroid): if snapshot_json['software'] == (SnapshotSoftware.Workbench or SnapshotSoftware.WorkbenchAndroid):
@ -73,6 +76,11 @@ class ActionView(View):
assert not device.actions_one assert not device.actions_one
assert all(not c.actions_one for c in components) if components else True assert all(not c.actions_one for c in components) if components else True
db_device, remove_actions = resource_def.sync.run(device, components) db_device, remove_actions = resource_def.sync.run(device, components)
# Check ownership of (non-component) device to from current.user
if(db_device.owner_id != g.user.id):
raise InsufficientPermission()
del device # Do not use device anymore del device # Do not use device anymore
snapshot.device = db_device snapshot.device = db_device
snapshot.actions |= remove_actions | actions_device # Set actions to snapshot snapshot.actions |= remove_actions | actions_device # Set actions to snapshot

View file

@ -1,5 +1,14 @@
from werkzeug.exceptions import Unauthorized from werkzeug.exceptions import Unauthorized, Forbidden
class WrongCredentials(Unauthorized): class WrongCredentials(Unauthorized):
description = 'There is not an user with the matching username/password' description = 'There is not an user with the matching username/password'
class InsufficientPermission(Forbidden):
description = (
"You don't have the permissions to access the requested"
"resource. It is either read-protected or not readable by the"
"server."
)