Skip to content

Commit

Permalink
validate permissions on group add or remove on image
Browse files Browse the repository at this point in the history
  • Loading branch information
Christian Glatthard committed Aug 12, 2015
1 parent 16d1e1e commit c4a732f
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 5 deletions.
2 changes: 2 additions & 0 deletions ipynbsrv/api/permissions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,8 @@ def has_object_permission(self, request, view, obj):
if self.is_superuser(request.user):
return True
if self.is_backend_user(request.user):
if request.user in obj.access_groups.all() and self.is_safe_method(request):
return True
return self.is_owner(request.user, obj)
return False

Expand Down
18 changes: 13 additions & 5 deletions ipynbsrv/api/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -718,9 +718,17 @@ def get_queryset(self):
if self.request.user.is_superuser:
queryset = ContainerImage.objects.all()
else:
queryset = ContainerImage.objects.filter(
Q(is_internal=False) & (Q(owner=self.request.user) | Q(is_public=True))
)
collab_group = None
if hasattr(self.request.user, 'backend_user'):
collab_group = self.request.user.backend_user.get_collaboration_group()
if collab_group:
queryset = ContainerImage.objects.filter(
Q(is_internal=False) & (Q(owner=self.request.user) | Q(is_public=True) | Q(access_groups=collab_group))
).distinct()
else:
queryset = ContainerImage.objects.filter(
Q(is_internal=False) & (Q(owner=self.request.user) | Q(is_public=True))
).distinct()
return queryset


Expand Down Expand Up @@ -750,7 +758,7 @@ def image_add_access_groups(request, pk):
image = obj.first()

# validate permissions
# validate_object_permission(ShareDetailPermissions, request, share)
validate_object_permission(ContainerImageDetailPermission, request, image)

# validate all the access_groups first before adding them
access_groups = []
Expand Down Expand Up @@ -794,7 +802,7 @@ def image_remove_access_groups(request, pk):
image = obj.first()

# validate permissions
# validate_object_permission(ShareDetailPermissions, request, share)
validate_object_permission(ContainerImageDetailPermission, request, image)

# validate all the access_groups first before adding them
access_groups = []
Expand Down

0 comments on commit c4a732f

Please sign in to comment.