Fixes to check_permissions

This allows nodes to have their permissions correctly evaluated for logged in users.
2015-11-13 17:32:50 +01:00 · 2015-11-13 17:32:50 +01:00 · 11f8769eb8
commit 11f8769eb8
parent 8f8b2cfbd4
1 changed files with 25 additions and 12 deletions
--- a/pillar/application/init.py
+++ b/pillar/application/init.py
@ -253,19 +253,32 @@ def check_permissions(resource, method, append_allowed_methods=False):
    current_user = g.get('current_user', None)
    if 'permissions' in resource:
-        # If permissions are embedde in the node (this overrides any other
+        # If permissions are embedded in the node (this overrides any other
-        # permission previously set)
+        # matching permission originally set at node_type level)
-        resource_permissions = resource['permissions']
+        resource_permissions_override = resource['permissions']
    elif type(resource['node_type']) is dict:
        # If the node_type is embedded in the document, extract permissions
        # from there
        resource_permissions = resource['node_type']['permissions']
    else:
-        # If the node_type is referenced with an ObjectID (was not embedded on
+        resource_permissions_override = None
-        # request) query for if from the database and get the permissions
+
-        node_types_collection = app.data.driver.db['node_types']
+    if 'node_type' in resource:
-        node_type = node_types_collection.find_one(resource['node_type'])
+        if type(resource['node_type']) is dict:
-        resource_permissions = node_type['permissions']
+            # If the node_type is embedded in the document, extract permissions
            # from there
            resource_permissions = resource['node_type']['permissions']
        else:
            # If the node_type is referenced with an ObjectID (was not embedded on
            # request) query for if from the database and get the permissions
            node_types_collection = app.data.driver.db['node_types']
            node_type = node_types_collection.find_one(resource['node_type'])
            resource_permissions = node_type['permissions']
    else:
        resource_permissions = None
    # Override resource_permissions if override is provided
    if resource_permissions_override and resource_permissions:
        for k, v in resource_permissions_override.iteritems():
            resource_permissions[k] = v
    elif resource_permissions_override and not resource_permissions:
        resource_permissions = resource_permissions_override
    if current_user:
        # If the user is authenticated, proceed to compare the group permissions