aboutsummaryrefslogtreecommitdiff
path: root/pyaggr3g470r
diff options
context:
space:
mode:
authorFrançois Schmidts <francois.schmidts@gmail.com>2015-04-22 18:50:54 +0200
committerFrançois Schmidts <francois.schmidts@gmail.com>2015-04-23 09:52:22 +0200
commit55520e2aa70a94b697210bfae9f4097ce04a02a1 (patch)
tree52db75138eee48708aef3633d862938d01de0218 /pyaggr3g470r
parentFixed strange behaviour of the search when only searching on the content. (diff)
downloadnewspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.tar.gz
newspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.tar.bz2
newspipe-55520e2aa70a94b697210bfae9f4097ce04a02a1.zip
enforcing better user of user_id in controllers
thus enhancing rights limitations between users wider_controller are a way to say "I was the maximum rights my role allows me"
Diffstat (limited to 'pyaggr3g470r')
-rw-r--r--pyaggr3g470r/controllers/abstract.py11
-rw-r--r--pyaggr3g470r/controllers/article.py4
-rw-r--r--pyaggr3g470r/lib/crawler.py1
-rw-r--r--pyaggr3g470r/views/api/article.py2
-rw-r--r--pyaggr3g470r/views/api/common.py6
-rw-r--r--pyaggr3g470r/views/api/feed.py9
6 files changed, 25 insertions, 8 deletions
diff --git a/pyaggr3g470r/controllers/abstract.py b/pyaggr3g470r/controllers/abstract.py
index 95f9e211..3ea4fbff 100644
--- a/pyaggr3g470r/controllers/abstract.py
+++ b/pyaggr3g470r/controllers/abstract.py
@@ -1,4 +1,5 @@
import logging
+from flask import g
from bootstrap import db
from sqlalchemy import or_
from werkzeug.exceptions import Forbidden, NotFound
@@ -18,6 +19,9 @@ class AbstractController(object):
allowing for a kind of "super user" mode.
"""
self.user_id = user_id
+ if self.user_id is not None \
+ and self.user_id != g.user.id and not g.user.is_admin():
+ self.user_id = g.user.id
def _to_filters(self, **filters):
"""
@@ -51,7 +55,12 @@ class AbstractController(object):
return db_filters
def _get(self, **filters):
- if self.user_id is not None:
+ """ Will add the current user id if that one is not none (in which case
+ the decision has been made in the code that the query shouldn't be user
+ dependant) and the user is not an admin and the filters doesn't already
+ contains a filter for that user.
+ """
+ if self.user_id and filters.get(self._user_id_key) != self.user_id:
filters[self._user_id_key] = self.user_id
return self._db_cls.query.filter(*self._to_filters(**filters))
diff --git a/pyaggr3g470r/controllers/article.py b/pyaggr3g470r/controllers/article.py
index bcd73e99..d22911bd 100644
--- a/pyaggr3g470r/controllers/article.py
+++ b/pyaggr3g470r/controllers/article.py
@@ -23,6 +23,6 @@ class ArticleController(AbstractController):
def get_unread(self):
return dict(db.session.query(Article.feed_id, func.count(Article.id))
- .filter(Article.readed == False,
- Article.user_id == self.user_id)
+ .filter(*self._to_filters(readed=False,
+ user_id=self.user_id))
.group_by(Article.feed_id).all())
diff --git a/pyaggr3g470r/lib/crawler.py b/pyaggr3g470r/lib/crawler.py
index 339c4b12..cae3bd8f 100644
--- a/pyaggr3g470r/lib/crawler.py
+++ b/pyaggr3g470r/lib/crawler.py
@@ -267,6 +267,7 @@ class FeedCrawler(AbstractCrawler):
for entry in parsed_response['entries']:
entry_ids = extract_id(entry)
entry_ids['feed_id'] = self.feed['id']
+ entry_ids['user_id'] = self.feed['user_id']
entries[tuple(sorted(entry_ids.items()))] = entry
ids.append(entry_ids)
logger.debug('%r %r - found %d entries %r',
diff --git a/pyaggr3g470r/views/api/article.py b/pyaggr3g470r/views/api/article.py
index 516eef8f..03ecdb18 100644
--- a/pyaggr3g470r/views/api/article.py
+++ b/pyaggr3g470r/views/api/article.py
@@ -51,7 +51,7 @@ class ArticlesChallenge(PyAggAbstractResource):
if key in id_dict:
id_dict[key] = dateutil.parser.parse(id_dict[key])
- return self.controller.challenge(parsed_args['ids'])
+ return self.wider_controller.challenge(parsed_args['ids'])
g.api.add_resource(ArticleNewAPI, '/article', endpoint='article_new.json')
diff --git a/pyaggr3g470r/views/api/common.py b/pyaggr3g470r/views/api/common.py
index ca344c04..b8c4dd9d 100644
--- a/pyaggr3g470r/views/api/common.py
+++ b/pyaggr3g470r/views/api/common.py
@@ -90,6 +90,12 @@ class PyAggAbstractResource(Resource):
def controller(self):
return self.controller_cls(getattr(g.user, 'id', None))
+ @property
+ def wider_controller(self):
+ if g.user.is_admin():
+ return self.controller_cls()
+ return self.controller_cls(getattr(g.user, 'id', None))
+
def reqparse_args(self, req=None, strict=False, default=True, args=None):
"""
strict: bool
diff --git a/pyaggr3g470r/views/api/feed.py b/pyaggr3g470r/views/api/feed.py
index ad185de9..68f3a12c 100644
--- a/pyaggr3g470r/views/api/feed.py
+++ b/pyaggr3g470r/views/api/feed.py
@@ -52,12 +52,13 @@ class FetchableFeedAPI(PyAggAbstractResource):
if g.user.refresh_rate:
args['refresh_rate'] = g.user.refresh_rate
- dont_filter_by_user = args.pop('retreive_all') and g.user.is_admin()
-
- contr = self.controller_cls() if dont_filter_by_user \
- else self.controller
+ if args.pop('retreive_all'):
+ contr = self.wider_controller
+ else:
+ contr = self.controller
return [feed for feed in contr.list_fetchable(**args)]
+
g.api.add_resource(FeedNewAPI, '/feed', endpoint='feed_new.json')
g.api.add_resource(FeedAPI, '/feed/<int:obj_id>', endpoint='feed.json')
g.api.add_resource(FeedsAPI, '/feeds', endpoint='feeds.json')
bgstack15