archive/attract
0
0
Fork 0
Code Issues 7 Pull Requests Projects Releases Wiki Activity

Only users with attract-user role can use Attract

Browse Source 
Subscribers without that role still have read-only access to Attract,
assuming they have access to the project at all.

NOTE: this only handles the web interface. API calls are still governed
by the nodes permission system, which doesn't currently allow these kinds
of role-based user checks.
This commit is contained in:
Sybren A. Stüvel
2017-06-15 12:50:28 +02:00
parent f4a06c3271
commit 50ae411575
10 changed files with 155 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
attract/routes.py
View File

@@ -6,6 +6,7 @@ import flask_login
import werkzeug.exceptions as wz_exceptions
from pillar.auth import current_web_user as current_user
from pillar.api.utils import str2id
from pillar.web.utils import attach_project_pictures
import pillar.web.subquery
from pillar.web.system_util import pillar_api
@@ -130,6 +131,13 @@ def attract_project_view(extra_project_projections: dict=None, extension_props=F
if not is_attract:
return error_project_not_setup_for_attract()
# Check user access.
auth = current_attract.auth
auth.determine_user_rights(str2id(project['_id']))
if not auth.current_user_may(auth.Actions.VIEW):
log.info('User %s not allowed to use Attract', current_user)
raise wz_exceptions.Forbidden()
if extension_props:
pprops = project.extension_props.attract
return wrapped(project, pprops, *args, **kwargs)