Merge e8d3a58 into 2c0edb7

uc-cdis · Jun 27, 2019 · 751c5a4 · 751c5a4
2 parents 2c0edb7 + e8d3a58
commit 751c5a4
Showing 1 changed file with 14 additions and 8 deletions.
diff --git a/fence/blueprints/data/indexd.py b/fence/blueprints/data/indexd.py
@@ -44,6 +44,7 @@
     "gs": {"upload": "PUT", "download": "GET"},
 }
 
+
 SUPPORTED_PROTOCOLS = ["s3", "http", "ftp", "https", "gs"]
 SUPPORTED_ACTIONS = ["upload", "download"]
 ANONYMOUS_USER_ID = "anonymous"
@@ -339,19 +340,24 @@ def _get_signed_url(self, protocol, action, expires_in, force_signed_url):
         )
 
     @cached_property
-    def set_acls(self):
-        if "acl" in self.index_document:
+    def authz(self):
+        if "authz" in self.index_document:
+            return set(self.index_document["authz"])
+        elif "acl" in self.index_document:
             return set(self.index_document["acl"])
         elif "acls" in self.metadata:
             return set(self.metadata["acls"].split(","))
         else:
             raise Unauthorized("This file is not accessible")
 
-    def check_authz(self, action):
+    def check_authz(self, action, token=None):
+        if token is None:
+            token = get_jwt()
+
         if not self.index_document.get("authz"):
             raise ValueError("index record missing `authz`")
 
-        request = {"user": {"token": get_jwt()}, "requests": []}
+        request = {"user": {"token": token}, "requests": []}
         for resource in self.index_document["authz"]:
             request["requests"].append(
                 {"resource": resource, "action": {"service": "fence", "method": action}}
@@ -365,7 +371,7 @@ def metadata(self):
 
     @cached_property
     def public(self):
-        return check_public(self.set_acls)
+        return self.check_public(self.authz)
 
     @login_required({"data"})
     def check_authorization(self, action):
@@ -399,7 +405,7 @@ def check_authorization(self, action):
             given_acls = set(
                 filter_auth_ids(action, flask.g.token["context"]["user"]["projects"])
             )
-        return len(self.set_acls & given_acls) > 0
+        return len(self.authz & given_acls) > 0
 
     @login_required({"data"})
     def delete_files(self, urls=None, delete_all=True):
@@ -829,6 +835,6 @@ def filter_auth_ids(action, list_auth_ids):
     return authorized_dbgaps
 
 
-def check_public(set_acls):
-    if "*" in set_acls:
+def check_public(self, authz):
+    if "*" in authz or "/open" in authz:
         return True