fixing get_device permissions

This commit is contained in:
Cayo Puigdefabregas 2020-08-18 12:35:04 +02:00
parent 3e653ee190
commit a2b2be77f4
2 changed files with 3 additions and 1 deletions

View file

@ -129,6 +129,8 @@ class DeviceView(View):
@auth.Auth.requires_auth
def one_private(self, id: int):
device = Device.query.filter_by(id=id).one()
if hasattr(device, 'owner_id') and device.owner_id != g.user.id:
device = {}
return self.schema.jsonify(device)
@auth.Auth.requires_auth

View file

@ -127,7 +127,7 @@ def test_get_device(app: Devicehub, user: UserClient, user2: UserClient):
pc2, res2 = user2.get("/devices/1", None)
assert res2.status_code == 200
assert len(pc['actions']) == 0
assert pc2 == {}
@pytest.mark.mvp