Implemented owner-checking and Unauthorized error messages.
This commit is contained in:
parent
1f4cf8a43c
commit
142beff183
2 changed files with 29 additions and 1 deletions
|
@ -84,6 +84,10 @@ def get_fields(s_id):
|
||||||
|
|
||||||
|
|
||||||
def generate_named_fields_for_section(fields):
|
def generate_named_fields_for_section(fields):
|
||||||
|
'''
|
||||||
|
Converts a section's field data into key-value pairs
|
||||||
|
for use in policy rule lambda functions.
|
||||||
|
'''
|
||||||
result = {}
|
result = {}
|
||||||
for field in fields:
|
for field in fields:
|
||||||
key = field['field_name']
|
key = field['field_name']
|
||||||
|
@ -144,10 +148,22 @@ def reports(request):
|
||||||
|
|
||||||
return JsonResponse(report_set)
|
return JsonResponse(report_set)
|
||||||
|
|
||||||
|
def user_owns_report(user, report):
|
||||||
|
'''
|
||||||
|
Returns true if the specified user is owner of the report
|
||||||
|
'''
|
||||||
|
report_to_check = Report.objects.filter(id=report)
|
||||||
|
if len(report_to_check) < 1:
|
||||||
|
return False
|
||||||
|
return report_to_check[0].user_id == user
|
||||||
|
|
||||||
# actions for an individual report
|
# actions for an individual report
|
||||||
@api_view(['GET', 'PUT', 'DELETE'])
|
@api_view(['GET', 'PUT', 'DELETE'])
|
||||||
def report_detail(request, report_pk):
|
def report_detail(request, report_pk):
|
||||||
|
# Check that the user owns the report
|
||||||
|
if not user_owns_report(user=request.user, report=report_pk):
|
||||||
|
return JsonResponse({"message": "Current user does not own the specified report."}, status=401)
|
||||||
|
|
||||||
# view the report
|
# view the report
|
||||||
if request.method == 'GET':
|
if request.method == 'GET':
|
||||||
data = get_reports(report_pk)
|
data = get_reports(report_pk)
|
||||||
|
@ -175,10 +191,22 @@ def report_detail(request, report_pk):
|
||||||
r.delete()
|
r.delete()
|
||||||
return JsonResponse({"message": "Deleted report: {0}.".format(title)})
|
return JsonResponse({"message": "Deleted report: {0}.".format(title)})
|
||||||
|
|
||||||
|
def user_owns_section(user, section):
|
||||||
|
'''
|
||||||
|
Returns true if the specified user is owner of the section
|
||||||
|
'''
|
||||||
|
section_to_check = Section.objects.filter(id=section)
|
||||||
|
if len(section_to_check) < 1:
|
||||||
|
return False
|
||||||
|
report_to_check = section_to_check[0].report_id
|
||||||
|
return report_to_check.user_id == user
|
||||||
|
|
||||||
# update a section with new data
|
# update a section with new data
|
||||||
@api_view(['PUT'])
|
@api_view(['PUT'])
|
||||||
def section(request, report_pk, section_pk):
|
def section(request, report_pk, section_pk):
|
||||||
|
# Check that the user owns the report
|
||||||
|
if not user_owns_section(user=request.user, section=section_pk):
|
||||||
|
return JsonResponse({"message": "Current user does not own the specified section."}, status=401)
|
||||||
|
|
||||||
for key in request.data:
|
for key in request.data:
|
||||||
# get the matching field object
|
# get the matching field object
|
||||||
|
@ -292,4 +320,4 @@ def section_complete(section_pk):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
# return false if no field is filled
|
# return false if no field is filled
|
||||||
return False
|
return False
|
||||||
|
|
BIN
back/db.sqlite3
BIN
back/db.sqlite3
Binary file not shown.
Loading…
Reference in a new issue