Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A client must not be able to edit an event that is tagged with a protected label #218

Closed
osteele opened this issue May 3, 2018 · 0 comments
Closed

A client must not be able to edit an event that is tagged with a protected label #218

osteele opened this issue May 3, 2018 · 0 comments
Labels
auth Authorization and authentication

Comments

@osteele
Copy link
Contributor

osteele commented May 3, 2018
edited
Loading

Add a "protected" attribute to the label model. Prevent events that include this label from creation, modification and deletion.

Implementation steps:

  • Add protected = BooleanField() to class Label(Document).
  • Add "protected": fields.Boolean to label_model in label_resources.py
  • The methods in event_resources.py query whether any labels are protected. If so, they abort with a 401 status.

There is probably a simple mongodb query (using aggregates?) to query all the labels in a list of strings, project their protected attributes, and compute the "or" of those values. Maybe there is also a way to express this in mongoengine.

This issue disables any modification to protected events. #239 re-enables access for administrators.
@osteele osteele mentioned this issue May 3, 2018
Closed
@osteele osteele changed the title An unauthorized user must not be able to edit an event that is tagged with a protected tag A client must not be able to edit an event that is tagged with a protected tag May 3, 2018
@osteele osteele added the auth Authorization and authentication label May 3, 2018
osteele added a commit that referenced this issue May 4, 2018
@osteele
Add more event tests
b7f354e 
Starts #103.

Creates stubs for #75 (marked in `test_events.py` by a TODO).

Issues #218, #217, #216 and ,#215 should add to these tests.
This was referenced May 4, 2018
Merged
Merged
@osteele osteele changed the title A client must not be able to edit an event that is tagged with a protected tag A client must not be able to edit an event that is tagged with a protected label May 7, 2018
This was referenced May 7, 2018
Closed
Open
Open
@iblancett iblancett mentioned this issue May 17, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth Authorization and authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@osteele @iblancett