Commit 330a8e80 authored by Pablo Panero's avatar Pablo Panero
Browse files

Merge branch 'permissions' into 'master'

Change permissions on read, update and delete to accept owners too

See merge request ppanero/cern_search_rest!22
parents 3a2d251e 8f1366b9
......@@ -63,7 +63,7 @@ class RecordPermission(object):
"""Create a record permission."""
# Allow everything for testing
if action in cls.create_actions:
return cls(record, has_create_permission, user)
return cls(record, has_owner_permission, user)
elif action in cls.read_actions:
return cls(record, has_read_record_permission, user)
elif action in cls.update_actions:
......@@ -74,7 +74,7 @@ class RecordPermission(object):
return cls(record, deny, user)
def has_create_permission(user, record):
def has_owner_permission(user, record=None):
"""Check if user is authenticated and has create access"""
if user.is_authenticated:
# Allow based in the '_access' key
......@@ -82,7 +82,6 @@ def has_create_permission(user, record):
user_index = request.args.get("index")
index_exists, es_index = parse_index(user_index)
if index_exists and current_search_client.indices.exists([es_index]):
# TODO How to query the index to get the owner?
mapping = current_search_client.indices.get_mapping([es_index])
if mapping is not None:
# set.isdisjoint() is faster than set.intersection()
......@@ -109,7 +108,8 @@ def has_update_permission(user, record):
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
update_access_groups = record['_access']['update'].split(',')
if user_provides and not set(user_provides).isdisjoint(set(update_access_groups)):
if (user_provides and not set(user_provides).isdisjoint(set(update_access_groups))) \
or has_owner_permission(user):
return True
return False
......@@ -121,7 +121,8 @@ def has_read_record_permission(user, record):
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
read_access_groups = record['_access']['read'].split(',')
if user_provides and not set(user_provides).isdisjoint(set(read_access_groups)):
if (user_provides and not set(user_provides).isdisjoint(set(read_access_groups))) \
or has_owner_permission(user):
return True
return False
......@@ -133,7 +134,8 @@ def has_delete_permission(user, record):
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
delete_access_groups = record['_access']['delete'].split(',')
if user_provides and not set(user_provides).isdisjoint(set(delete_access_groups)):
if (user_provides and not set(user_provides).isdisjoint(set(delete_access_groups))) \
or has_owner_permission(user):
return True
return False
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment