k-space/inventory-app
11
0
Fork 0
Code Issues 14 Pull Requests Packages Activity

Restrict item editing to owners and admins
All checks were successful
ci/woodpecker/manual/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Madis Mägi 2023-11-15 23:43:24 +02:00
parent cb2c9e31a1
commit 401b8abbd2
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
inventory-app/inventory.py
View File

@ -30,6 +30,7 @@ def view_inventory_view(item_id):
template = "inventory_view_public.html" template = "inventory_view_public.html"
else: else:
can_audit = "k-space:janitors" in user["groups"] can_audit = "k-space:janitors" in user["groups"]
can_edit = check_edit_permission(item_id)
bucket=get_bucket() bucket=get_bucket()
photo_url = bucket.generate_presigned_url( photo_url = bucket.generate_presigned_url(
ClientMethod='get_object', ClientMethod='get_object',
@ -124,6 +125,24 @@ class InventoryItemForm(CustomForm):
self.inventory.form.public.data = "y" self.inventory.form.public.data = "y"
def check_edit_permission(item_id):
if not item_id:
return False
user = read_user()
if not user:
return False
item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 })
if not item:
return False
item_username = item.get("inventory", {}).get("owner", {}).get("username", False)
user_username = user.get("username", False)
user_groups = user.get("groups", [])
if not item_username or not user_username:
return False
if any(group in user_groups for group in ["k-space:board", "k-space:kubernetes:admins"]):
return True
return item_username == user_username
@page_inventory.route("/m/inventory/<item_id>/edit", methods=['GET']) @page_inventory.route("/m/inventory/<item_id>/edit", methods=['GET'])
@page_inventory.route("/m/inventory/<item_id>/edit-by-slug/<slug>", methods=['GET']) @page_inventory.route("/m/inventory/<item_id>/edit-by-slug/<slug>", methods=['GET'])
@page_inventory.route("/m/inventory/add", methods=['GET']) @page_inventory.route("/m/inventory/add", methods=['GET'])
@ -134,6 +153,8 @@ class InventoryItemForm(CustomForm):
def view_inventory_edit(item_id=None, slug=None, clone_item_id=None): def view_inventory_edit(item_id=None, slug=None, clone_item_id=None):
item = None item = None
if item_id: if item_id:
if not check_edit_permission(item_id):
return abort(403)
item = db.inventory.find_one({ "_id": ObjectId(item_id) }) item = db.inventory.find_one({ "_id": ObjectId(item_id) })
form = InventoryItemForm(**item) form = InventoryItemForm(**item)
elif clone_item_id: elif clone_item_id:
@ -163,6 +184,8 @@ def view_inventory_edit(item_id=None, slug=None, clone_item_id=None):
@page_inventory.route("/m/inventory/<clone_item_id>/clone-by-slug/<slug>", methods=['POST']) @page_inventory.route("/m/inventory/<clone_item_id>/clone-by-slug/<slug>", methods=['POST'])
@login_required @login_required
def save_inventory_item(item_id=None, **_): def save_inventory_item(item_id=None, **_):
if item_id and not check_edit_permission(item_id):
return abort(403)
form = InventoryItemForm(request.form) form = InventoryItemForm(request.form)
if not form.validate_on_submit(): if not form.validate_on_submit():
has_errors = True has_errors = True

4
inventory-app/templates/inventory_view.html
View File

@ -152,7 +152,9 @@
<div class="row"> <div class="row">
<div class="col s12"> <div class="col s12">
<a href="/m/inventory/{{ item._id }}/edit" class="waves-effect waves-light btn">Edit</a> <a {% if not can_edit %} disabled="" {% endif %} href="/m/inventory/{{ item._id }}/edit" class="waves-effect waves-light btn">
Edit
</a>
</div> </div>
</div> </div>