Added access control to organizations Eve endpoints

2017-08-23 12:16:54 +02:00
parent cf51d1a280
commit b53d485960
4 changed files with 283 additions and 2 deletions
--- a/pillar/api/eve_settings.py
+++ b/pillar/api/eve_settings.py
@@ -737,6 +737,11 @@ groups = {

 organizations = {
    'schema': organizations_schema,
+    'resource_methods': ['GET', 'POST'],
+    'item_methods': ['GET'],
+    'public_item_methods': [],
+    'public_methods': [],
+    'soft_delete': True,
 }

 projects = {
--- a/pillar/api/organizations/init.py
+++ b/pillar/api/organizations/init.py
@@ -254,6 +254,7 @@ class OrgManager:


 def setup_app(app):
-    from . import patch
+    from . import patch, hooks

+    hooks.setup_app(app)
    patch.setup_app(app)
--- a/pillar/api/organizations/hooks.py
+++ b/pillar/api/organizations/hooks.py
@@ -0,0 +1,27 @@
+import werkzeug.exceptions as wz_exceptions
+
+from pillar.api.utils.authentication import current_user
+
+
+def pre_get_organizations(request, lookup):
+    user = current_user()
+    if user.is_anonymous:
+        raise wz_exceptions.Forbidden()
+
+    if user.has_cap('admin'):
+        # Allow all lookups to admins.
+        return
+
+    # Only allow users to see their own organizations.
+    lookup['$or'] = [{'admin_uid': user.user_id}, {'members': user.user_id}]
+
+
+def pre_post_organizations(request):
+    user = current_user()
+    if user.is_anonymous or not user.has_cap('admin'):
+        raise wz_exceptions.Forbidden()
+
+
+def setup_app(app):
+    app.on_pre_GET_organizations += pre_get_organizations
+    app.on_pre_POST_organizations += pre_post_organizations