From d30de30bb93255c1a1506980e2ce60d85ab4aa40 Mon Sep 17 00:00:00 2001 From: Francesco Siddi Date: Mon, 19 Oct 2015 19:09:32 +0200 Subject: [PATCH] Check permissions on node items --- pillar/application/__init__.py | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/pillar/application/__init__.py b/pillar/application/__init__.py index 9ea89a86..454851c2 100644 --- a/pillar/application/__init__.py +++ b/pillar/application/__init__.py @@ -140,12 +140,6 @@ class NewAuth(TokenAuth): if not token: return False else: - # print '---' - # print 'validating' - # print token - # print resource - # print method - # print '---' validate_token() return True @@ -279,17 +273,19 @@ def check_permissions(resource, method, append_allowed_methods=False): resource['allowed_methods'] = list(set(allowed_methods)) return resource - abort(403) + return None def before_returning_node(response): # Run validation process, since GET on nodes entry point is public validate_token() - check_permissions(response, 'GET', append_allowed_methods=True) + if not check_permissions(response, 'GET', append_allowed_methods=True): + return abort(403) def before_returning_nodes(response): for item in response['_items']: validate_token() - item = check_permissions(item, 'GET', append_allowed_methods=True) + check_permissions(item, 'GET', append_allowed_methods=True) + def before_replacing_node(item, original): check_permissions(original, 'PUT') @@ -324,8 +320,6 @@ def post_POST_files(request, payload): """ process_file(request.get_json()) - -#app.on_pre_POST_files += pre_POST_files app.on_post_POST_files += post_POST_files from utils.cdn import hash_file_path