From 964e807721420cd3f082e8791fd46a12d05c4e8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Thu, 27 Oct 2016 09:34:57 +0200 Subject: [PATCH] Give admin explicit permissions, instead of blindly granting everything. This ensures that the allowed_methods properties are properly set. Admin users get the union of all permissions given to all groups and users. --- pillar/api/utils/authorization.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/pillar/api/utils/authorization.py b/pillar/api/utils/authorization.py index 541a7838..b2e64f33 100644 --- a/pillar/api/utils/authorization.py +++ b/pillar/api/utils/authorization.py @@ -28,10 +28,6 @@ def check_permissions(collection_name, resource, method, append_allowed_methods= :type check_node_type: str """ - # Admins can do anything. - if user_has_role(u'admin'): - return - if not has_permissions(collection_name, resource, method, append_allowed_methods, check_node_type): abort(403) @@ -67,14 +63,17 @@ def compute_allowed_methods(collection_name, resource, check_node_type=None): # Accumulate allowed methods from the user, group and world level. allowed_methods = set() current_user = getattr(g, 'current_user', None) + if current_user: + user_is_admin = is_admin(current_user) + # If the user is authenticated, proceed to compare the group permissions for permission in computed_permissions.get('groups', ()): - if permission['group'] in current_user['groups']: + if user_is_admin or permission['group'] in current_user['groups']: allowed_methods.update(permission['methods']) for permission in computed_permissions.get('users', ()): - if current_user['user_id'] == permission['user']: + if user_is_admin or current_user['user_id'] == permission['user']: allowed_methods.update(permission['methods']) # Check if the node is public or private. This must be set for non logged