From 55520e2aa70a94b697210bfae9f4097ce04a02a1 Mon Sep 17 00:00:00 2001
From: François Schmidts <francois.schmidts@gmail.com>
Date: Wed, 22 Apr 2015 18:50:54 +0200
Subject: enforcing better user of user_id in controllers

thus enhancing rights limitations between users
wider_controller are a way to say "I was the maximum rights my role
allows me"
---
 pyaggr3g470r/controllers/abstract.py | 11 ++++++++++-
 pyaggr3g470r/controllers/article.py  |  4 ++--
 pyaggr3g470r/lib/crawler.py          |  1 +
 pyaggr3g470r/views/api/article.py    |  2 +-
 pyaggr3g470r/views/api/common.py     |  6 ++++++
 pyaggr3g470r/views/api/feed.py       |  9 +++++----
 6 files changed, 25 insertions(+), 8 deletions(-)

(limited to 'pyaggr3g470r')

diff --git a/pyaggr3g470r/controllers/abstract.py b/pyaggr3g470r/controllers/abstract.py
index 95f9e211..3ea4fbff 100644
--- a/pyaggr3g470r/controllers/abstract.py
+++ b/pyaggr3g470r/controllers/abstract.py
@@ -1,4 +1,5 @@
 import logging
+from flask import g
 from bootstrap import db
 from sqlalchemy import or_
 from werkzeug.exceptions import Forbidden, NotFound
@@ -18,6 +19,9 @@ class AbstractController(object):
         allowing for a kind of "super user" mode.
         """
         self.user_id = user_id
+        if self.user_id is not None \
+                and self.user_id != g.user.id and not g.user.is_admin():
+            self.user_id = g.user.id
 
     def _to_filters(self, **filters):
         """
@@ -51,7 +55,12 @@ class AbstractController(object):
         return db_filters
 
     def _get(self, **filters):
-        if self.user_id is not None:
+        """ Will add the current user id if that one is not none (in which case
+        the decision has been made in the code that the query shouldn't be user
+        dependant) and the user is not an admin and the filters doesn't already
+        contains a filter for that user.
+        """
+        if self.user_id and filters.get(self._user_id_key) != self.user_id:
             filters[self._user_id_key] = self.user_id
         return self._db_cls.query.filter(*self._to_filters(**filters))
 
diff --git a/pyaggr3g470r/controllers/article.py b/pyaggr3g470r/controllers/article.py
index bcd73e99..d22911bd 100644
--- a/pyaggr3g470r/controllers/article.py
+++ b/pyaggr3g470r/controllers/article.py
@@ -23,6 +23,6 @@ class ArticleController(AbstractController):
 
     def get_unread(self):
         return dict(db.session.query(Article.feed_id, func.count(Article.id))
-                       .filter(Article.readed == False,
-                               Article.user_id == self.user_id)
+                       .filter(*self._to_filters(readed=False,
+                                                 user_id=self.user_id))
                        .group_by(Article.feed_id).all())
diff --git a/pyaggr3g470r/lib/crawler.py b/pyaggr3g470r/lib/crawler.py
index 339c4b12..cae3bd8f 100644
--- a/pyaggr3g470r/lib/crawler.py
+++ b/pyaggr3g470r/lib/crawler.py
@@ -267,6 +267,7 @@ class FeedCrawler(AbstractCrawler):
         for entry in parsed_response['entries']:
             entry_ids = extract_id(entry)
             entry_ids['feed_id'] = self.feed['id']
+            entry_ids['user_id'] = self.feed['user_id']
             entries[tuple(sorted(entry_ids.items()))] = entry
             ids.append(entry_ids)
         logger.debug('%r %r - found %d entries %r',
diff --git a/pyaggr3g470r/views/api/article.py b/pyaggr3g470r/views/api/article.py
index 516eef8f..03ecdb18 100644
--- a/pyaggr3g470r/views/api/article.py
+++ b/pyaggr3g470r/views/api/article.py
@@ -51,7 +51,7 @@ class ArticlesChallenge(PyAggAbstractResource):
                 if key in id_dict:
                     id_dict[key] = dateutil.parser.parse(id_dict[key])
 
-        return self.controller.challenge(parsed_args['ids'])
+        return self.wider_controller.challenge(parsed_args['ids'])
 
 
 g.api.add_resource(ArticleNewAPI, '/article', endpoint='article_new.json')
diff --git a/pyaggr3g470r/views/api/common.py b/pyaggr3g470r/views/api/common.py
index ca344c04..b8c4dd9d 100644
--- a/pyaggr3g470r/views/api/common.py
+++ b/pyaggr3g470r/views/api/common.py
@@ -90,6 +90,12 @@ class PyAggAbstractResource(Resource):
     def controller(self):
         return self.controller_cls(getattr(g.user, 'id', None))
 
+    @property
+    def wider_controller(self):
+        if g.user.is_admin():
+            return self.controller_cls()
+        return self.controller_cls(getattr(g.user, 'id', None))
+
     def reqparse_args(self, req=None, strict=False, default=True, args=None):
         """
         strict: bool
diff --git a/pyaggr3g470r/views/api/feed.py b/pyaggr3g470r/views/api/feed.py
index ad185de9..68f3a12c 100644
--- a/pyaggr3g470r/views/api/feed.py
+++ b/pyaggr3g470r/views/api/feed.py
@@ -52,12 +52,13 @@ class FetchableFeedAPI(PyAggAbstractResource):
         if g.user.refresh_rate:
             args['refresh_rate'] = g.user.refresh_rate
 
-        dont_filter_by_user = args.pop('retreive_all') and g.user.is_admin()
-
-        contr = self.controller_cls() if dont_filter_by_user \
-                else self.controller
+        if args.pop('retreive_all'):
+            contr = self.wider_controller
+        else:
+            contr = self.controller
         return [feed for feed in contr.list_fetchable(**args)]
 
+
 g.api.add_resource(FeedNewAPI, '/feed', endpoint='feed_new.json')
 g.api.add_resource(FeedAPI, '/feed/<int:obj_id>', endpoint='feed.json')
 g.api.add_resource(FeedsAPI, '/feeds', endpoint='feeds.json')
-- 
cgit