From 7fbcee2ee79f97b85e6103aee617811ffeee93d3 Mon Sep 17 00:00:00 2001
From: Francesco Siddi <francesco.siddi@gmail.com>
Date: Thu, 15 Oct 2015 16:12:46 +0200
Subject: [PATCH] Check for allowed_roles on get on the resource level

This hook was originally implemented only on the item leve, now we
check for every node at every GET request. The performance hit can be
significant.
---
 pillar/application/__init__.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pillar/application/__init__.py b/pillar/application/__init__.py
index acae19fa..51e1f592 100644
--- a/pillar/application/__init__.py
+++ b/pillar/application/__init__.py
@@ -277,7 +277,7 @@ def check_permissions(resource, method, append_allowed_methods=False):
 
     if append_allowed_methods and method in allowed_methods:
         resource['allowed_methods'] = list(set(allowed_methods))
-        return
+        return resource
 
     abort(403)
 
@@ -286,6 +286,14 @@ def before_returning_node(response):
     validate_token()
     check_permissions(response, 'GET', append_allowed_methods=True)
 
+def before_returning_nodes(response):
+    for item in response['_items']:
+        print item
+        validate_token()
+        item = check_permissions(item, 'GET', append_allowed_methods=True)
+        print item
+    print response['_items']
+
 def before_replacing_node(item, original):
     check_permissions(original, 'PUT')
 
@@ -295,6 +303,7 @@ def before_inserting_nodes(items):
 
 
 app.on_fetched_item_nodes += before_returning_node
+app.on_fetched_resource_nodes += before_returning_nodes
 app.on_replace_nodes += before_replacing_node
 app.on_insert_nodes += before_inserting_nodes