From aa76374f1f61a2f75c824d3891dfa50411d71649 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Madis=20M=C3=A4gi?= <madis.magi@k-space.ee>
Date: Sun, 4 Aug 2024 05:35:57 +0300
Subject: [PATCH] Restrict editing keys to k-space:janitors

---
 inventory-app/inventory.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/inventory-app/inventory.py b/inventory-app/inventory.py
index acb195b..2bd95c9 100644
--- a/inventory-app/inventory.py
+++ b/inventory-app/inventory.py
@@ -142,10 +142,12 @@ def check_edit_permission(item_id):
     user = read_user()
     if not user:
         return False
-    item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 })
+    item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 , "type": 1})
     if not item:
         return False
     user_groups = user.get("groups", [])
+    if item.get("type") == "key" and "k-space:janitors" not in user_groups:
+        return False
     if any(group in user_groups for group in ["k-space:board", "k-space:kubernetes:admins"]):
         return True
     item_username = item.get("inventory", {}).get("owner", {}).get("username", False)
@@ -266,9 +268,12 @@ def get_bucket():
 @page_inventory.route("/inventory/<item_id>/upload-photo", methods=["POST"])
 @login_required
 def upload_photo(item_id):
+    user = read_user()
     item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "thumbs": 1 })
     if not item:
         return "Item not found", 404
+    if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
+        return abort(403)
     if "file" not in request.files:
         return "No file part", 400
     file = request.files["file"]
@@ -484,6 +489,8 @@ def view_inventory_claim(item_id):
     })
     if not item:
         return abort(404)
+    if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
+        return abort(403)
 
     db.inventory.update_one({
         "_id": ObjectId(item["_id"])
@@ -507,6 +514,8 @@ def view_inventory_use(item_id):
     })
     if not item:
         return abort(404)
+    if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
+        return abort(403)
 
     db.inventory.update_one({
         "_id": ObjectId(item["_id"])
@@ -530,6 +539,8 @@ def view_inventory_vacate(item_id):
     })
     if not item:
         return abort(404)
+    if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
+        return abort(403)
 
     db.inventory.update_one({
         "_id": ObjectId(item["_id"])