Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Add decorator for checking if user have access to modify project.

  • Loading branch information...
commit 04c8020e4348588e627428339476740cb3b60957 1 parent 0a20f19
William Tisäter tiwilliam authored

Showing 2 changed files with 20 additions and 6 deletions. Show diff stats Hide diff stats

  1. +10 0 models/project.py
  2. +10 6 utils.py
10 models/project.py
@@ -46,3 +46,13 @@ def create(cls, name, description, user_id, role='ADMIN'):
46 46 return cls.init(id=id, name=name, description=description,
47 47 user_id=user_id, modified_at=modified_at,
48 48 created_at=created_at)
  49 +
  50 + @classmethod
  51 + def has_access(cls, project_id, user_id):
  52 + data = db.user_projects.select() \
  53 + .where(db.user_projects.c.user_id == user_id) \
  54 + .where(db.user_projects.c.project_id == project_id) \
  55 + .execute()
  56 + if data.rowcount:
  57 + return True
  58 + return False
16 utils.py
... ... @@ -1,4 +1,5 @@
1 1 from flask import session
  2 +from models.project import Project
2 3
3 4 def require_auth(f):
4 5 def validate(*args, **kwargs):
@@ -7,7 +8,7 @@ def validate(*args, **kwargs):
7 8
8 9 if 'user_id' in kwargs:
9 10 if session['user_id'] != kwargs['user_id']:
10   - return 'Unauthorized, not your data', 403
  11 + return 'Unauthorized, caught in the cookie jar', 403
11 12
12 13 return f(*args, **kwargs)
13 14 return validate
@@ -17,11 +18,14 @@ def validate(*args, **kwargs):
17 18 if 'user_id' not in session:
18 19 return 'Unauthorized, not logged in', 403
19 20
20   - if 'project_id' in kwargs:
21   - # TODO: Check if user have access to project when models are in place
22   - has_access = True
23   - if not has_access:
24   - return 'Unauthorized, not your data', 403
  21 + if 'project_id' not in kwargs:
  22 + return 'Unauthorized, unknown project', 403
  23 +
  24 + user_id = session['user_id']
  25 + project_id = kwargs['project_id']
  26 + has_access = Project.has_access(project_id, user_id)
  27 + if not has_access:
  28 + return 'Unauthorized, caught in the cookie jar', 403
25 29
26 30 return f(*args, **kwargs)
27 31 return validate

0 comments on commit 04c8020

Please sign in to comment.
Something went wrong with that request. Please try again.