Use capability check instead of role check in strip_link_and_variations()

2018-03-23 14:23:47 +01:00 · 2018-03-23 14:23:47 +01:00 · 0cf45c0d78
commit 0cf45c0d78
parent e4f229cc70
2 changed files with 4 additions and 9 deletions
--- a/pillar/api/file_storage/init.py
+++ b/pillar/api/file_storage/init.py
@ -386,13 +386,8 @@ def before_returning_file(response):

 def strip_link_and_variations(response):
    # Check the access level of the user.
-    if current_user.is_anonymous:
-        has_full_access = False
-    else:
-        user_roles = current_user.roles
-        # TODO: convert to a capability and check for that.
-        access_roles = current_app.config['FULL_FILE_ACCESS_ROLES']
-        has_full_access = bool(user_roles.intersection(access_roles))
+    capability = current_app.config['FULL_FILE_ACCESS_CAP']
+    has_full_access = current_user.has_cap(capability)

    # Strip all file variations (unless image) and link to the actual file.
    if not has_full_access:
--- a/pillar/config.py
+++ b/pillar/config.py
@ -109,8 +109,8 @@ FILE_LINK_VALIDITY = defaultdict(
    gcs=3600 * 23,  # 23 hours for Google Cloud Storage.
 )

-# Roles with full GET-access to all variations of files.
-FULL_FILE_ACCESS_ROLES = {'admin', 'subscriber', 'demo'}
+# Capability with GET-access to all variations of files.
+FULL_FILE_ACCESS_CAP = 'subscriber'

 # Client and Subclient IDs for Blender ID
 BLENDER_ID_CLIENT_ID = 'SPECIAL-SNOWFLAKE-57'