Allow task & shot details only to subscribers/demos/admins

2016-10-11 15:18:54 +02:00
parent bb5acd3dd7
commit 1461fd2064
3 changed files with 16 additions and 2 deletions
--- a/attract/init.py
+++ b/attract/init.py
@@ -11,6 +11,9 @@ import attract.shots

 EXTENSION_NAME = 'attract'

+# Roles required to view task or shot details.
+ROLES_REQUIRED_TO_VIEW_ITEMS = {u'demo', u'subscriber', u'admin'}
+

 class AttractExtension(PillarExtension):
    def __init__(self):
--- a/attract/shots/routes.py
+++ b/attract/shots/routes.py
@@ -1,7 +1,9 @@
 import logging

+import flask_login
 from flask import Blueprint, render_template, request
 import flask
+import werkzeug.exceptions as wz_exceptions

 import pillarsdk
 import pillar.api.utils
@@ -9,7 +11,7 @@ from pillar.web.system_util import pillar_api

 from attract.routes import attract_project_view
 from attract.node_types.shot import node_type_shot
-from attract import current_attract
+from attract import current_attract, ROLES_REQUIRED_TO_VIEW_ITEMS

 blueprint = Blueprint('attract.shots', __name__, url_prefix='/shots')
 perproject_blueprint = Blueprint('attract.shots.perproject', __name__,
@@ -65,6 +67,10 @@ def view_shot(project, attract_props, shot_id):
    if not request.is_xhr:
        return for_project(project, attract_props, shot_id=shot_id)

+    # Shot list is public, shot details are not.
+    if not flask_login.current_user.has_role(*ROLES_REQUIRED_TO_VIEW_ITEMS):
+        raise wz_exceptions.Forbidden()
+
    api = pillar_api()

    shot = pillarsdk.Node.find(shot_id, api=api)
--- a/attract/tasks/routes.py
+++ b/attract/tasks/routes.py
@@ -3,6 +3,7 @@ import logging
 from flask import Blueprint, render_template, request, current_app
 import flask
 import flask_login
+import werkzeug.exceptions as wz_exceptions

 import pillarsdk
 from pillar.web.system_util import pillar_api
@@ -10,7 +11,7 @@ import pillar.api.utils

 from attract.routes import attract_project_view
 from attract.node_types.task import node_type_task
-from attract import current_attract
+from attract import current_attract, ROLES_REQUIRED_TO_VIEW_ITEMS

 blueprint = Blueprint('attract.tasks', __name__, url_prefix='/tasks')
 perproject_blueprint = Blueprint('attract.tasks.perproject', __name__,
@@ -74,6 +75,10 @@ def view_task(project, attract_props, task_id):
    if not request.is_xhr:
        return for_project(project, task_id=task_id)

+    # Task list is public, task details are not.
+    if not flask_login.current_user.has_role(*ROLES_REQUIRED_TO_VIEW_ITEMS):
+        raise wz_exceptions.Forbidden()
+
    api = pillar_api()
    task = pillarsdk.Node.find(task_id, api=api)
    node_type = project.get_node_type(node_type_task['name'])