Skip to content
This repository has been archived by the owner on Mar 28, 2019. It is now read-only.

Commit

Permalink
Remove permission from impacted records in resource events
Browse files Browse the repository at this point in the history
  • Loading branch information
@leplatrem
leplatrem committed Nov 23, 2015
1 parent 7e265e7 commit 4a854ff
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 3 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.rst
View file
Expand Up @@ -17,7 +17,8 @@ This document describes changes between each past release.

- Include plugins after setting up components (like authn/authz) so that plugins
can register views with permissions checking

- Remove ``__permissions__`` from impacted records values in ``ResourceChanged``
events (#586)

2.11.0 (2015-11-17)
-------------------
Expand Down
8 changes: 6 additions & 2 deletions cliquet/resource/__init__.py
View file
Expand Up @@ -1083,7 +1083,7 @@ def process_record(self, new, old=None):

return annotated

def postprocess(self, result, **kwargs):
def postprocess(self, result, action=ACTIONS.READ, old=None):
"""Add ``permissions`` attribute in response body.
In the protocol, it was decided that ``permissions`` would reside
Expand All @@ -1097,7 +1097,11 @@ def postprocess(self, result, **kwargs):
if perms is not None:
body['permissions'] = {k: list(p) for k, p in perms.items()}

data = super(ShareableResource, self).postprocess(result, **kwargs)
if old:
# Remove permissions from event payload.
old.pop(self.model.permissions_field, None)

data = super(ShareableResource, self).postprocess(result, action, old)
body.update(data)
return body

Expand Down
14 changes: 14 additions & 0 deletions cliquet/tests/resource/test_events.py
View file
Expand Up @@ -202,3 +202,17 @@ def test_impacted_records_on_delete(self):
self.assertNotIn('new', impacted_records[0])
self.assertEqual(impacted_records[0]['old']['id'], record['id'])
self.assertEqual(impacted_records[0]['old']['deleted'], True)

def test_permissions_are_stripped_from_event_on_protected_resource(self):
app = self.make_app(settings={
'psilo_write_principals': 'system.Authenticated'
})
resp = app.post_json('/psilos', self.body,
headers=self.headers, status=201)
record = resp.json['data']
record_url = '/psilos/' + record['id']
app.patch_json(record_url, {"data": {"name": "De barcelona"}},
headers=self.headers)
impacted_records = self.events[-1].impacted_records
self.assertNotIn('__permissions__', impacted_records[0]['new'])
self.assertNotIn('__permissions__', impacted_records[0]['old'])

0 comments on commit 4a854ff

Please sign in to comment.