Implemented owner-checking and Unauthorized error messages.

This commit is contained in:
kououken 2019-02-15 14:21:48 -08:00
parent 1f4cf8a43c
commit 142beff183
2 changed files with 29 additions and 1 deletions

View file

@ -84,6 +84,10 @@ def get_fields(s_id):
def generate_named_fields_for_section(fields): def generate_named_fields_for_section(fields):
'''
Converts a section's field data into key-value pairs
for use in policy rule lambda functions.
'''
result = {} result = {}
for field in fields: for field in fields:
key = field['field_name'] key = field['field_name']
@ -144,10 +148,22 @@ def reports(request):
return JsonResponse(report_set) return JsonResponse(report_set)
def user_owns_report(user, report):
'''
Returns true if the specified user is owner of the report
'''
report_to_check = Report.objects.filter(id=report)
if len(report_to_check) < 1:
return False
return report_to_check[0].user_id == user
# actions for an individual report # actions for an individual report
@api_view(['GET', 'PUT', 'DELETE']) @api_view(['GET', 'PUT', 'DELETE'])
def report_detail(request, report_pk): def report_detail(request, report_pk):
# Check that the user owns the report
if not user_owns_report(user=request.user, report=report_pk):
return JsonResponse({"message": "Current user does not own the specified report."}, status=401)
# view the report # view the report
if request.method == 'GET': if request.method == 'GET':
data = get_reports(report_pk) data = get_reports(report_pk)
@ -175,10 +191,22 @@ def report_detail(request, report_pk):
r.delete() r.delete()
return JsonResponse({"message": "Deleted report: {0}.".format(title)}) return JsonResponse({"message": "Deleted report: {0}.".format(title)})
def user_owns_section(user, section):
'''
Returns true if the specified user is owner of the section
'''
section_to_check = Section.objects.filter(id=section)
if len(section_to_check) < 1:
return False
report_to_check = section_to_check[0].report_id
return report_to_check.user_id == user
# update a section with new data # update a section with new data
@api_view(['PUT']) @api_view(['PUT'])
def section(request, report_pk, section_pk): def section(request, report_pk, section_pk):
# Check that the user owns the report
if not user_owns_section(user=request.user, section=section_pk):
return JsonResponse({"message": "Current user does not own the specified section."}, status=401)
for key in request.data: for key in request.data:
# get the matching field object # get the matching field object

Binary file not shown.