enforcing better user of user_id in controllers

thus enhancing rights limitations between users
wider_controller are a way to say "I was the maximum rights my role
allows me"

1 files changed, 5 insertions, 4 deletions

diff --git a/pyaggr3g470r/views/api/feed.py b/pyaggr3g470r/views/api/feed.py
index ad185de9..68f3a12c 100644
--- a/pyaggr3g470r/views/api/feed.py
+++ b/pyaggr3g470r/views/api/feed.py
@@ -52,12 +52,13 @@ class FetchableFeedAPI(PyAggAbstractResource):
         if g.user.refresh_rate:
             args['refresh_rate'] = g.user.refresh_rate
 
-        dont_filter_by_user = args.pop('retreive_all') and g.user.is_admin()
-
-        contr = self.controller_cls() if dont_filter_by_user \
-                else self.controller
+        if args.pop('retreive_all'):
+            contr = self.wider_controller
+        else:
+            contr = self.controller
         return [feed for feed in contr.list_fetchable(**args)]
 
+
 g.api.add_resource(FeedNewAPI, '/feed', endpoint='feed_new.json')
 g.api.add_resource(FeedAPI, '/feed/<int:obj_id>', endpoint='feed.json')
 g.api.add_resource(FeedsAPI, '/feeds', endpoint='feeds.json')