k-space/inventory-app
11
0
Fork 0
Code Issues 14 Pull Requests Packages Activity

Restrict editing keys to k-space:janitors
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Madis Mägi 2024-08-04 05:35:57 +03:00
parent 37544700d5
commit aa76374f1f
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
inventory-app/inventory.py
View File

@ -142,10 +142,12 @@ def check_edit_permission(item_id):
user = read_user()
if not user:
return False
item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 })
item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "inventory.owner": 1 , "type": 1})
if not item:
return False
user_groups = user.get("groups", [])
if item.get("type") == "key" and "k-space:janitors" not in user_groups:
return False
if any(group in user_groups for group in ["k-space:board", "k-space:kubernetes:admins"]):
return True
item_username = item.get("inventory", {}).get("owner", {}).get("username", False)
@ -266,9 +268,12 @@ def get_bucket():
@page_inventory.route("/inventory/<item_id>/upload-photo", methods=["POST"])
@login_required
def upload_photo(item_id):
user = read_user()
item = db.inventory.find_one(filter = { "_id": ObjectId(item_id) }, projection = { "thumbs": 1 })
if not item:
return "Item not found", 404
if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
return abort(403)
if "file" not in request.files:
return "No file part", 400
file = request.files["file"]
@ -484,6 +489,8 @@ def view_inventory_claim(item_id):
})
if not item:
return abort(404)
if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
return abort(403)
db.inventory.update_one({
"_id": ObjectId(item["_id"])
@ -507,6 +514,8 @@ def view_inventory_use(item_id):
})
if not item:
return abort(404)
if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
return abort(403)
db.inventory.update_one({
"_id": ObjectId(item["_id"])
@ -530,6 +539,8 @@ def view_inventory_vacate(item_id):
})
if not item:
return abort(404)
if item.get("type") == "key" and "k-space:janitors" not in user.get("groups", []):
return abort(403)
db.inventory.update_one({
"_id": ObjectId(item["_id"])