From 1461fd20642554ce6bf3b05b0c935126e899cb6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Tue, 11 Oct 2016 15:18:54 +0200 Subject: [PATCH] Allow task & shot details only to subscribers/demos/admins --- attract/__init__.py | 3 +++ attract/shots/routes.py | 8 +++++++- attract/tasks/routes.py | 7 ++++++- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/attract/__init__.py b/attract/__init__.py index 8737fe0..e3cb616 100644 --- a/attract/__init__.py +++ b/attract/__init__.py @@ -11,6 +11,9 @@ import attract.shots EXTENSION_NAME = 'attract' +# Roles required to view task or shot details. +ROLES_REQUIRED_TO_VIEW_ITEMS = {u'demo', u'subscriber', u'admin'} + class AttractExtension(PillarExtension): def __init__(self): diff --git a/attract/shots/routes.py b/attract/shots/routes.py index 0c38cae..49fdc2f 100644 --- a/attract/shots/routes.py +++ b/attract/shots/routes.py @@ -1,7 +1,9 @@ import logging +import flask_login from flask import Blueprint, render_template, request import flask +import werkzeug.exceptions as wz_exceptions import pillarsdk import pillar.api.utils @@ -9,7 +11,7 @@ from pillar.web.system_util import pillar_api from attract.routes import attract_project_view from attract.node_types.shot import node_type_shot -from attract import current_attract +from attract import current_attract, ROLES_REQUIRED_TO_VIEW_ITEMS blueprint = Blueprint('attract.shots', __name__, url_prefix='/shots') perproject_blueprint = Blueprint('attract.shots.perproject', __name__, @@ -65,6 +67,10 @@ def view_shot(project, attract_props, shot_id): if not request.is_xhr: return for_project(project, attract_props, shot_id=shot_id) + # Shot list is public, shot details are not. + if not flask_login.current_user.has_role(*ROLES_REQUIRED_TO_VIEW_ITEMS): + raise wz_exceptions.Forbidden() + api = pillar_api() shot = pillarsdk.Node.find(shot_id, api=api) diff --git a/attract/tasks/routes.py b/attract/tasks/routes.py index 36a05bb..13d04cb 100644 --- a/attract/tasks/routes.py +++ b/attract/tasks/routes.py @@ -3,6 +3,7 @@ import logging from flask import Blueprint, render_template, request, current_app import flask import flask_login +import werkzeug.exceptions as wz_exceptions import pillarsdk from pillar.web.system_util import pillar_api @@ -10,7 +11,7 @@ import pillar.api.utils from attract.routes import attract_project_view from attract.node_types.task import node_type_task -from attract import current_attract +from attract import current_attract, ROLES_REQUIRED_TO_VIEW_ITEMS blueprint = Blueprint('attract.tasks', __name__, url_prefix='/tasks') perproject_blueprint = Blueprint('attract.tasks.perproject', __name__, @@ -74,6 +75,10 @@ def view_task(project, attract_props, task_id): if not request.is_xhr: return for_project(project, task_id=task_id) + # Task list is public, task details are not. + if not flask_login.current_user.has_role(*ROLES_REQUIRED_TO_VIEW_ITEMS): + raise wz_exceptions.Forbidden() + api = pillar_api() task = pillarsdk.Node.find(task_id, api=api) node_type = project.get_node_type(node_type_task['name'])