From 55520e2aa70a94b697210bfae9f4097ce04a02a1 Mon Sep 17 00:00:00 2001
From: François Schmidts <francois.schmidts@gmail.com>
Date: Wed, 22 Apr 2015 18:50:54 +0200
Subject: enforcing better user of user_id in controllers

thus enhancing rights limitations between users
wider_controller are a way to say "I was the maximum rights my role
allows me"
---
 pyaggr3g470r/views/api/feed.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'pyaggr3g470r/views/api/feed.py')

diff --git a/pyaggr3g470r/views/api/feed.py b/pyaggr3g470r/views/api/feed.py
index ad185de9..68f3a12c 100644
--- a/pyaggr3g470r/views/api/feed.py
+++ b/pyaggr3g470r/views/api/feed.py
@@ -52,12 +52,13 @@ class FetchableFeedAPI(PyAggAbstractResource):
         if g.user.refresh_rate:
             args['refresh_rate'] = g.user.refresh_rate
 
-        dont_filter_by_user = args.pop('retreive_all') and g.user.is_admin()
-
-        contr = self.controller_cls() if dont_filter_by_user \
-                else self.controller
+        if args.pop('retreive_all'):
+            contr = self.wider_controller
+        else:
+            contr = self.controller
         return [feed for feed in contr.list_fetchable(**args)]
 
+
 g.api.add_resource(FeedNewAPI, '/feed', endpoint='feed_new.json')
 g.api.add_resource(FeedAPI, '/feed/<int:obj_id>', endpoint='feed.json')
 g.api.add_resource(FeedsAPI, '/feeds', endpoint='feeds.json')
-- 
cgit