archive/attract
0
0
Fork 0
Code Issues 7 Pull Requests Projects Releases Wiki Activity

Allow task & shot details only to subscribers/demos/admins

Browse Source
This commit is contained in:
Sybren A. Stüvel
2016-10-11 15:18:54 +02:00
parent bb5acd3dd7
commit 1461fd2064
3 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
attract/__init__.py
View File

@@ -11,6 +11,9 @@ import attract.shots
EXTENSION_NAME = 'attract' EXTENSION_NAME = 'attract'
# Roles required to view task or shot details.
ROLES_REQUIRED_TO_VIEW_ITEMS = {u'demo', u'subscriber', u'admin'}
class AttractExtension(PillarExtension): class AttractExtension(PillarExtension):
def __init__(self): def __init__(self):

8
attract/shots/routes.py
View File

@@ -1,7 +1,9 @@
import logging import logging
import flask_login
from flask import Blueprint, render_template, request from flask import Blueprint, render_template, request
import flask import flask
import werkzeug.exceptions as wz_exceptions
import pillarsdk import pillarsdk
import pillar.api.utils import pillar.api.utils
@@ -9,7 +11,7 @@ from pillar.web.system_util import pillar_api
from attract.routes import attract_project_view from attract.routes import attract_project_view
from attract.node_types.shot import node_type_shot from attract.node_types.shot import node_type_shot
from attract import current_attract from attract import current_attract, ROLES_REQUIRED_TO_VIEW_ITEMS
blueprint = Blueprint('attract.shots', __name__, url_prefix='/shots') blueprint = Blueprint('attract.shots', __name__, url_prefix='/shots')
perproject_blueprint = Blueprint('attract.shots.perproject', __name__, perproject_blueprint = Blueprint('attract.shots.perproject', __name__,
@@ -65,6 +67,10 @@ def view_shot(project, attract_props, shot_id):
if not request.is_xhr: if not request.is_xhr:
return for_project(project, attract_props, shot_id=shot_id) return for_project(project, attract_props, shot_id=shot_id)
# Shot list is public, shot details are not.
if not flask_login.current_user.has_role(*ROLES_REQUIRED_TO_VIEW_ITEMS):
raise wz_exceptions.Forbidden()
api = pillar_api() api = pillar_api()
shot = pillarsdk.Node.find(shot_id, api=api) shot = pillarsdk.Node.find(shot_id, api=api)

7
attract/tasks/routes.py
View File

@@ -3,6 +3,7 @@ import logging
from flask import Blueprint, render_template, request, current_app from flask import Blueprint, render_template, request, current_app
import flask import flask
import flask_login import flask_login
import werkzeug.exceptions as wz_exceptions
import pillarsdk import pillarsdk
from pillar.web.system_util import pillar_api from pillar.web.system_util import pillar_api
@@ -10,7 +11,7 @@ import pillar.api.utils
from attract.routes import attract_project_view from attract.routes import attract_project_view
from attract.node_types.task import node_type_task from attract.node_types.task import node_type_task
from attract import current_attract from attract import current_attract, ROLES_REQUIRED_TO_VIEW_ITEMS
blueprint = Blueprint('attract.tasks', __name__, url_prefix='/tasks') blueprint = Blueprint('attract.tasks', __name__, url_prefix='/tasks')
perproject_blueprint = Blueprint('attract.tasks.perproject', __name__, perproject_blueprint = Blueprint('attract.tasks.perproject', __name__,
@@ -74,6 +75,10 @@ def view_task(project, attract_props, task_id):
if not request.is_xhr: if not request.is_xhr:
return for_project(project, task_id=task_id) return for_project(project, task_id=task_id)
# Task list is public, task details are not.
if not flask_login.current_user.has_role(*ROLES_REQUIRED_TO_VIEW_ITEMS):
raise wz_exceptions.Forbidden()
api = pillar_api() api = pillar_api()
task = pillarsdk.Node.find(task_id, api=api) task = pillarsdk.Node.find(task_id, api=api)
node_type = project.get_node_type(node_type_task['name']) node_type = project.get_node_type(node_type_task['name'])