fixing get_device permissions

ereuse_devicehub/resources/device/views.py

@@ -129,6 +129,8 @@ class DeviceView(View):
     @auth.Auth.requires_auth
     def one_private(self, id: int):
         device = Device.query.filter_by(id=id).one()
+        if hasattr(device, 'owner_id') and device.owner_id != g.user.id:
+            device = {}
         return self.schema.jsonify(device)
 
     @auth.Auth.requires_auth

tests/test_endpoints.py

@@ -127,7 +127,7 @@ def test_get_device(app: Devicehub, user: UserClient, user2: UserClient):
 
     pc2, res2 = user2.get("/devices/1", None)
     assert res2.status_code == 200
-    assert len(pc['actions']) == 0
+    assert pc2 == {}
 
 
 @pytest.mark.mvp