Restrict item editing to owners and admins
All checks were successful
ci/woodpecker/manual/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/manual/woodpecker Pipeline was successful
This commit is contained in:
parent
cb2c9e31a1
commit
401b8abbd2
@ -30,6 +30,7 @@ def view_inventory_view(item_id):
|
||||
template = "inventory_view_public.html"
|
||||
else:
|
||||
can_audit = "k-space:janitors" in user["groups"]
|
||||
can_edit = check_edit_permission(item_id)
|
||||
bucket=get_bucket()
|
||||
photo_url = bucket.generate_presigned_url(
|
||||
ClientMethod='get_object',
|
||||
@ -124,6 +125,24 @@ class InventoryItemForm(CustomForm):
|
||||
self.inventory.form.public.data = "y"
|
||||
|
||||
|
||||
def check_edit_permission(item_id):
|
||||
if not item_id:
|
||||
return False
|
||||
user = read_user()
|
||||
if not user:
|
||||
return False
|
||||
item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 })
|
||||
if not item:
|
||||
return False
|
||||
item_username = item.get("inventory", {}).get("owner", {}).get("username", False)
|
||||
user_username = user.get("username", False)
|
||||
user_groups = user.get("groups", [])
|
||||
if not item_username or not user_username:
|
||||
return False
|
||||
if any(group in user_groups for group in ["k-space:board", "k-space:kubernetes:admins"]):
|
||||
return True
|
||||
return item_username == user_username
|
||||
|
||||
@page_inventory.route("/m/inventory/<item_id>/edit", methods=['GET'])
|
||||
@page_inventory.route("/m/inventory/<item_id>/edit-by-slug/<slug>", methods=['GET'])
|
||||
@page_inventory.route("/m/inventory/add", methods=['GET'])
|
||||
@ -134,6 +153,8 @@ class InventoryItemForm(CustomForm):
|
||||
def view_inventory_edit(item_id=None, slug=None, clone_item_id=None):
|
||||
item = None
|
||||
if item_id:
|
||||
if not check_edit_permission(item_id):
|
||||
return abort(403)
|
||||
item = db.inventory.find_one({ "_id": ObjectId(item_id) })
|
||||
form = InventoryItemForm(**item)
|
||||
elif clone_item_id:
|
||||
@ -163,6 +184,8 @@ def view_inventory_edit(item_id=None, slug=None, clone_item_id=None):
|
||||
@page_inventory.route("/m/inventory/<clone_item_id>/clone-by-slug/<slug>", methods=['POST'])
|
||||
@login_required
|
||||
def save_inventory_item(item_id=None, **_):
|
||||
if item_id and not check_edit_permission(item_id):
|
||||
return abort(403)
|
||||
form = InventoryItemForm(request.form)
|
||||
if not form.validate_on_submit():
|
||||
has_errors = True
|
||||
|
||||
@ -152,7 +152,9 @@
|
||||
|
||||
<div class="row">
|
||||
<div class="col s12">
|
||||
<a href="/m/inventory/{{ item._id }}/edit" class="waves-effect waves-light btn">Edit</a>
|
||||
<a {% if not can_edit %} disabled="" {% endif %} href="/m/inventory/{{ item._id }}/edit" class="waves-effect waves-light btn">
|
||||
Edit
|
||||
</a>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user