aboutsummaryrefslogtreecommitdiff
path: root/pyaggr3g470r/controllers
diff options
context:
space:
mode:
authorFrançois Schmidts <francois.schmidts@gmail.com>2015-04-22 18:50:54 +0200
committerFrançois Schmidts <francois.schmidts@gmail.com>2015-04-23 09:52:22 +0200
commit55520e2aa70a94b697210bfae9f4097ce04a02a1 (patch)
tree52db75138eee48708aef3633d862938d01de0218 /pyaggr3g470r/controllers
parentFixed strange behaviour of the search when only searching on the content. (diff)
downloadnewspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.tar.gz
newspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.tar.bz2
newspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.zip
enforcing better user of user_id in controllers
thus enhancing rights limitations between users wider_controller are a way to say "I was the maximum rights my role allows me"
Diffstat (limited to 'pyaggr3g470r/controllers')
-rw-r--r--pyaggr3g470r/controllers/abstract.py11
-rw-r--r--pyaggr3g470r/controllers/article.py4
2 files changed, 12 insertions, 3 deletions
diff --git a/pyaggr3g470r/controllers/abstract.py b/pyaggr3g470r/controllers/abstract.py
index 95f9e211..3ea4fbff 100644
--- a/pyaggr3g470r/controllers/abstract.py
+++ b/pyaggr3g470r/controllers/abstract.py
@@ -1,4 +1,5 @@
import logging
+from flask import g
from bootstrap import db
from sqlalchemy import or_
from werkzeug.exceptions import Forbidden, NotFound
@@ -18,6 +19,9 @@ class AbstractController(object):
allowing for a kind of "super user" mode.
"""
self.user_id = user_id
+ if self.user_id is not None \
+ and self.user_id != g.user.id and not g.user.is_admin():
+ self.user_id = g.user.id
def _to_filters(self, **filters):
"""
@@ -51,7 +55,12 @@ class AbstractController(object):
return db_filters
def _get(self, **filters):
- if self.user_id is not None:
+ """ Will add the current user id if that one is not none (in which case
+ the decision has been made in the code that the query shouldn't be user
+ dependant) and the user is not an admin and the filters doesn't already
+ contains a filter for that user.
+ """
+ if self.user_id and filters.get(self._user_id_key) != self.user_id:
filters[self._user_id_key] = self.user_id
return self._db_cls.query.filter(*self._to_filters(**filters))
diff --git a/pyaggr3g470r/controllers/article.py b/pyaggr3g470r/controllers/article.py
index bcd73e99..d22911bd 100644
--- a/pyaggr3g470r/controllers/article.py
+++ b/pyaggr3g470r/controllers/article.py
@@ -23,6 +23,6 @@ class ArticleController(AbstractController):
def get_unread(self):
return dict(db.session.query(Article.feed_id, func.count(Article.id))
- .filter(Article.readed == False,
- Article.user_id == self.user_id)
+ .filter(*self._to_filters(readed=False,
+ user_id=self.user_id))
.group_by(Article.feed_id).all())
bgstack15