diff options
| author | François Schmidts <francois.schmidts@gmail.com> | 2015-04-22 18:50:54 +0200 |
|---|---|---|
| committer | François Schmidts <francois.schmidts@gmail.com> | 2015-04-23 09:52:22 +0200 |
| commit | 55520e2aa70a94b697210bfae9f4097ce04a02a1 (patch) | |
| tree | 52db75138eee48708aef3633d862938d01de0218 /pyaggr3g470r/controllers | |
| parent | Fixed strange behaviour of the search when only searching on the content. (diff) | |
| download | newspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.tar.gz newspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.tar.bz2 newspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.zip | |
enforcing better user of user_id in controllers
thus enhancing rights limitations between users
wider_controller are a way to say "I was the maximum rights my role
allows me"
Diffstat (limited to 'pyaggr3g470r/controllers')
| -rw-r--r-- | pyaggr3g470r/controllers/abstract.py | 11 | ||||
| -rw-r--r-- | pyaggr3g470r/controllers/article.py | 4 |
2 files changed, 12 insertions, 3 deletions
diff --git a/pyaggr3g470r/controllers/abstract.py b/pyaggr3g470r/controllers/abstract.py index 95f9e211..3ea4fbff 100644 --- a/pyaggr3g470r/controllers/abstract.py +++ b/pyaggr3g470r/controllers/abstract.py @@ -1,4 +1,5 @@ import logging +from flask import g from bootstrap import db from sqlalchemy import or_ from werkzeug.exceptions import Forbidden, NotFound @@ -18,6 +19,9 @@ class AbstractController(object): allowing for a kind of "super user" mode. """ self.user_id = user_id + if self.user_id is not None \ + and self.user_id != g.user.id and not g.user.is_admin(): + self.user_id = g.user.id def _to_filters(self, **filters): """ @@ -51,7 +55,12 @@ class AbstractController(object): return db_filters def _get(self, **filters): - if self.user_id is not None: + """ Will add the current user id if that one is not none (in which case + the decision has been made in the code that the query shouldn't be user + dependant) and the user is not an admin and the filters doesn't already + contains a filter for that user. + """ + if self.user_id and filters.get(self._user_id_key) != self.user_id: filters[self._user_id_key] = self.user_id return self._db_cls.query.filter(*self._to_filters(**filters)) diff --git a/pyaggr3g470r/controllers/article.py b/pyaggr3g470r/controllers/article.py index bcd73e99..d22911bd 100644 --- a/pyaggr3g470r/controllers/article.py +++ b/pyaggr3g470r/controllers/article.py @@ -23,6 +23,6 @@ class ArticleController(AbstractController): def get_unread(self): return dict(db.session.query(Article.feed_id, func.count(Article.id)) - .filter(Article.readed == False, - Article.user_id == self.user_id) + .filter(*self._to_filters(readed=False, + user_id=self.user_id)) .group_by(Article.feed_id).all()) |