From c4a732f374f36cae40efb915b2928502182d3a41 Mon Sep 17 00:00:00 2001
From: Christian Glatthard <christian.glatthard@students.fhnw.ch>
Date: Wed, 12 Aug 2015 22:07:50 +0200
Subject: [PATCH] validate permissions on group add or remove on image

---
 ipynbsrv/api/permissions.py |  2 ++
 ipynbsrv/api/views.py       | 18 +++++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ipynbsrv/api/permissions.py b/ipynbsrv/api/permissions.py
index ae2bbfd..d98d992 100644
--- a/ipynbsrv/api/permissions.py
+++ b/ipynbsrv/api/permissions.py
@@ -190,6 +190,8 @@ def has_object_permission(self, request, view, obj):
         if self.is_superuser(request.user):
             return True
         if self.is_backend_user(request.user):
+            if request.user in obj.access_groups.all() and self.is_safe_method(request):
+                return True
             return self.is_owner(request.user, obj)
         return False
 
diff --git a/ipynbsrv/api/views.py b/ipynbsrv/api/views.py
index 297b967..4119d92 100644
--- a/ipynbsrv/api/views.py
+++ b/ipynbsrv/api/views.py
@@ -718,9 +718,17 @@ def get_queryset(self):
         if self.request.user.is_superuser:
             queryset = ContainerImage.objects.all()
         else:
-            queryset = ContainerImage.objects.filter(
-                Q(is_internal=False) & (Q(owner=self.request.user) | Q(is_public=True))
-            )
+            collab_group = None
+            if hasattr(self.request.user, 'backend_user'):
+                collab_group = self.request.user.backend_user.get_collaboration_group()
+            if collab_group:
+                queryset = ContainerImage.objects.filter(
+                    Q(is_internal=False) & (Q(owner=self.request.user) | Q(is_public=True) | Q(access_groups=collab_group))
+                ).distinct()
+            else:
+                queryset = ContainerImage.objects.filter(
+                    Q(is_internal=False) & (Q(owner=self.request.user) | Q(is_public=True))
+                ).distinct()
         return queryset
 
 
@@ -750,7 +758,7 @@ def image_add_access_groups(request, pk):
     image = obj.first()
 
     # validate permissions
-    # validate_object_permission(ShareDetailPermissions, request, share)
+    validate_object_permission(ContainerImageDetailPermission, request, image)
 
     # validate all the access_groups first before adding them
     access_groups = []
@@ -794,7 +802,7 @@ def image_remove_access_groups(request, pk):
     image = obj.first()
 
     # validate permissions
-    # validate_object_permission(ShareDetailPermissions, request, share)
+    validate_object_permission(ContainerImageDetailPermission, request, image)
 
     # validate all the access_groups first before adding them
     access_groups = []