From 55520e2aa70a94b697210bfae9f4097ce04a02a1 Mon Sep 17 00:00:00 2001 From: François Schmidts Date: Wed, 22 Apr 2015 18:50:54 +0200 Subject: enforcing better user of user_id in controllers thus enhancing rights limitations between users wider_controller are a way to say "I was the maximum rights my role allows me" --- pyaggr3g470r/controllers/abstract.py | 11 ++++++++++- pyaggr3g470r/controllers/article.py | 4 ++-- pyaggr3g470r/lib/crawler.py | 1 + pyaggr3g470r/views/api/article.py | 2 +- pyaggr3g470r/views/api/common.py | 6 ++++++ pyaggr3g470r/views/api/feed.py | 9 +++++---- 6 files changed, 25 insertions(+), 8 deletions(-) (limited to 'pyaggr3g470r') diff --git a/pyaggr3g470r/controllers/abstract.py b/pyaggr3g470r/controllers/abstract.py index 95f9e211..3ea4fbff 100644 --- a/pyaggr3g470r/controllers/abstract.py +++ b/pyaggr3g470r/controllers/abstract.py @@ -1,4 +1,5 @@ import logging +from flask import g from bootstrap import db from sqlalchemy import or_ from werkzeug.exceptions import Forbidden, NotFound @@ -18,6 +19,9 @@ class AbstractController(object): allowing for a kind of "super user" mode. """ self.user_id = user_id + if self.user_id is not None \ + and self.user_id != g.user.id and not g.user.is_admin(): + self.user_id = g.user.id def _to_filters(self, **filters): """ @@ -51,7 +55,12 @@ class AbstractController(object): return db_filters def _get(self, **filters): - if self.user_id is not None: + """ Will add the current user id if that one is not none (in which case + the decision has been made in the code that the query shouldn't be user + dependant) and the user is not an admin and the filters doesn't already + contains a filter for that user. + """ + if self.user_id and filters.get(self._user_id_key) != self.user_id: filters[self._user_id_key] = self.user_id return self._db_cls.query.filter(*self._to_filters(**filters)) diff --git a/pyaggr3g470r/controllers/article.py b/pyaggr3g470r/controllers/article.py index bcd73e99..d22911bd 100644 --- a/pyaggr3g470r/controllers/article.py +++ b/pyaggr3g470r/controllers/article.py @@ -23,6 +23,6 @@ class ArticleController(AbstractController): def get_unread(self): return dict(db.session.query(Article.feed_id, func.count(Article.id)) - .filter(Article.readed == False, - Article.user_id == self.user_id) + .filter(*self._to_filters(readed=False, + user_id=self.user_id)) .group_by(Article.feed_id).all()) diff --git a/pyaggr3g470r/lib/crawler.py b/pyaggr3g470r/lib/crawler.py index 339c4b12..cae3bd8f 100644 --- a/pyaggr3g470r/lib/crawler.py +++ b/pyaggr3g470r/lib/crawler.py @@ -267,6 +267,7 @@ class FeedCrawler(AbstractCrawler): for entry in parsed_response['entries']: entry_ids = extract_id(entry) entry_ids['feed_id'] = self.feed['id'] + entry_ids['user_id'] = self.feed['user_id'] entries[tuple(sorted(entry_ids.items()))] = entry ids.append(entry_ids) logger.debug('%r %r - found %d entries %r', diff --git a/pyaggr3g470r/views/api/article.py b/pyaggr3g470r/views/api/article.py index 516eef8f..03ecdb18 100644 --- a/pyaggr3g470r/views/api/article.py +++ b/pyaggr3g470r/views/api/article.py @@ -51,7 +51,7 @@ class ArticlesChallenge(PyAggAbstractResource): if key in id_dict: id_dict[key] = dateutil.parser.parse(id_dict[key]) - return self.controller.challenge(parsed_args['ids']) + return self.wider_controller.challenge(parsed_args['ids']) g.api.add_resource(ArticleNewAPI, '/article', endpoint='article_new.json') diff --git a/pyaggr3g470r/views/api/common.py b/pyaggr3g470r/views/api/common.py index ca344c04..b8c4dd9d 100644 --- a/pyaggr3g470r/views/api/common.py +++ b/pyaggr3g470r/views/api/common.py @@ -90,6 +90,12 @@ class PyAggAbstractResource(Resource): def controller(self): return self.controller_cls(getattr(g.user, 'id', None)) + @property + def wider_controller(self): + if g.user.is_admin(): + return self.controller_cls() + return self.controller_cls(getattr(g.user, 'id', None)) + def reqparse_args(self, req=None, strict=False, default=True, args=None): """ strict: bool diff --git a/pyaggr3g470r/views/api/feed.py b/pyaggr3g470r/views/api/feed.py index ad185de9..68f3a12c 100644 --- a/pyaggr3g470r/views/api/feed.py +++ b/pyaggr3g470r/views/api/feed.py @@ -52,12 +52,13 @@ class FetchableFeedAPI(PyAggAbstractResource): if g.user.refresh_rate: args['refresh_rate'] = g.user.refresh_rate - dont_filter_by_user = args.pop('retreive_all') and g.user.is_admin() - - contr = self.controller_cls() if dont_filter_by_user \ - else self.controller + if args.pop('retreive_all'): + contr = self.wider_controller + else: + contr = self.controller return [feed for feed in contr.list_fetchable(**args)] + g.api.add_resource(FeedNewAPI, '/feed', endpoint='feed_new.json') g.api.add_resource(FeedAPI, '/feed/', endpoint='feed.json') g.api.add_resource(FeedsAPI, '/feeds', endpoint='feeds.json') -- cgit