Skip to content
Browse files

Add decorator for checking if user have access to modify project.

  • Loading branch information...
1 parent 0a20f19 commit 04c8020e4348588e627428339476740cb3b60957 @tiwilliam tiwilliam committed Jun 11, 2012
Showing with 20 additions and 6 deletions.
  1. +10 −0 models/project.py
  2. +10 −6 utils.py
View
10 models/project.py
@@ -46,3 +46,13 @@ def create(cls, name, description, user_id, role='ADMIN'):
return cls.init(id=id, name=name, description=description,
user_id=user_id, modified_at=modified_at,
created_at=created_at)
+
+ @classmethod
+ def has_access(cls, project_id, user_id):
+ data = db.user_projects.select() \
+ .where(db.user_projects.c.user_id == user_id) \
+ .where(db.user_projects.c.project_id == project_id) \
+ .execute()
+ if data.rowcount:
+ return True
+ return False
View
16 utils.py
@@ -1,4 +1,5 @@
from flask import session
+from models.project import Project
def require_auth(f):
def validate(*args, **kwargs):
@@ -7,7 +8,7 @@ def validate(*args, **kwargs):
if 'user_id' in kwargs:
if session['user_id'] != kwargs['user_id']:
- return 'Unauthorized, not your data', 403
+ return 'Unauthorized, caught in the cookie jar', 403
return f(*args, **kwargs)
return validate
@@ -17,11 +18,14 @@ def validate(*args, **kwargs):
if 'user_id' not in session:
return 'Unauthorized, not logged in', 403
- if 'project_id' in kwargs:
- # TODO: Check if user have access to project when models are in place
- has_access = True
- if not has_access:
- return 'Unauthorized, not your data', 403
+ if 'project_id' not in kwargs:
+ return 'Unauthorized, unknown project', 403
+
+ user_id = session['user_id']
+ project_id = kwargs['project_id']
+ has_access = Project.has_access(project_id, user_id)
+ if not has_access:
+ return 'Unauthorized, caught in the cookie jar', 403
return f(*args, **kwargs)
return validate

0 comments on commit 04c8020

Please sign in to comment.
Something went wrong with that request. Please try again.