Skip to content
Permalink
Browse files

Use validate_acls to produce the can_edit value.

  • Loading branch information...
ralphbean committed Sep 10, 2015
1 parent ccc3707 commit fdcbcaee0bff4ac8fa487799f8e7aae7462913f6
Showing with 24 additions and 1 deletion.
  1. +18 −0 bodhi/security.py
  2. +6 −1 bodhi/services/updates.py
@@ -12,6 +12,8 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

from cornice.errors import Errors

from pyramid.security import (Allow, Deny, Everyone, Authenticated,
ALL_PERMISSIONS, DENY_ALL)
from pyramid.security import remember, forget
@@ -189,3 +191,19 @@ def __contains__(self, item):

cors_origins_ro = CorsOrigins('cors_origins_ro')
cors_origins_rw = CorsOrigins('cors_origins_rw')


class ProtectedRequest(object):
""" A proxy to the request object.
The point here is that you can set 'errors' on this request, but they
will be sent to /dev/null and hidden from cornice. Otherwise, this
object behaves just like a normal request object.
"""
def __init__(self, real_request):
# Hide errors added to this from the real request
self.errors = Errors()
# But proxy other attributes to the real request
self.real_request = real_request
for attr in ['db', 'registry', 'validated', 'buildinfo', 'user']:
setattr(self, attr, getattr(self.real_request, attr))
@@ -80,7 +80,12 @@
error_handler=bodhi.services.errors.html_handler)
def get_update(request):
"""Return a single update from an id, title, or alias"""
can_edit = bool(has_permission('edit', request.context, request))

proxy_request = bodhi.security.ProtectedRequest(request)
validate_acls(proxy_request)
# If validate_acls produced 0 errors, then we can edit this update.
can_edit = len(proxy_request.errors) == 0

return dict(update=request.validated['update'], can_edit=can_edit)


0 comments on commit fdcbcae

Please sign in to comment.
You can’t perform that action at this time.