From 401b8abbd2f5b303b153b3957acb8b73c0dd1682 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Madis=20M=C3=A4gi?= <madis.magi@k-space.ee>
Date: Wed, 15 Nov 2023 23:43:24 +0200
Subject: [PATCH] Restrict item editing to owners and admins

---
 inventory-app/inventory.py                  | 23 +++++++++++++++++++++
 inventory-app/templates/inventory_view.html |  4 +++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/inventory-app/inventory.py b/inventory-app/inventory.py
index 861cc39..f3b35b5 100644
--- a/inventory-app/inventory.py
+++ b/inventory-app/inventory.py
@@ -30,6 +30,7 @@ def view_inventory_view(item_id):
         template = "inventory_view_public.html"
     else:
         can_audit = "k-space:janitors" in user["groups"]
+        can_edit = check_edit_permission(item_id)
     bucket=get_bucket()
     photo_url = bucket.generate_presigned_url(
         ClientMethod='get_object',
@@ -124,6 +125,24 @@ class InventoryItemForm(CustomForm):
         self.inventory.form.public.data = "y"
 
 
+def check_edit_permission(item_id):
+    if not item_id:
+        return False
+    user = read_user()
+    if not user:
+        return False
+    item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 })
+    if not item:
+        return False
+    item_username = item.get("inventory", {}).get("owner", {}).get("username", False)
+    user_username = user.get("username", False)
+    user_groups = user.get("groups", [])
+    if not item_username or not user_username:
+        return False
+    if any(group in user_groups for group in ["k-space:board", "k-space:kubernetes:admins"]):
+        return True
+    return item_username == user_username
+
 @page_inventory.route("/m/inventory/<item_id>/edit", methods=['GET'])
 @page_inventory.route("/m/inventory/<item_id>/edit-by-slug/<slug>", methods=['GET'])
 @page_inventory.route("/m/inventory/add", methods=['GET'])
@@ -134,6 +153,8 @@ class InventoryItemForm(CustomForm):
 def view_inventory_edit(item_id=None, slug=None, clone_item_id=None):
     item = None
     if item_id:
+        if not check_edit_permission(item_id):
+            return abort(403)
         item = db.inventory.find_one({ "_id": ObjectId(item_id) })
         form = InventoryItemForm(**item)
     elif clone_item_id:
@@ -163,6 +184,8 @@ def view_inventory_edit(item_id=None, slug=None, clone_item_id=None):
 @page_inventory.route("/m/inventory/<clone_item_id>/clone-by-slug/<slug>", methods=['POST'])
 @login_required
 def save_inventory_item(item_id=None, **_):
+    if item_id and not check_edit_permission(item_id):
+        return abort(403)
     form = InventoryItemForm(request.form)
     if not form.validate_on_submit():
         has_errors = True
diff --git a/inventory-app/templates/inventory_view.html b/inventory-app/templates/inventory_view.html
index d477931..b0c8f67 100644
--- a/inventory-app/templates/inventory_view.html
+++ b/inventory-app/templates/inventory_view.html
@@ -152,7 +152,9 @@
 
 <div class="row">
   <div class="col s12">
-    <a href="/m/inventory/{{ item._id }}/edit" class="waves-effect waves-light btn">Edit</a>
+    <a {% if not can_edit %} disabled="" {% endif %} href="/m/inventory/{{ item._id }}/edit" class="waves-effect waves-light btn">
+      Edit
+    </a>
   </div>
 </div>