Changeset 78af3d1 in OpenWorkouts-current


Ignore:
Timestamp:
Feb 9, 2019, 9:42:52 PM (5 years ago)
Author:
Borja Lopez <borja@…>
Branches:
current, feature/docs, master
Children:
56caf3d
Parents:
55470f9
Message:

Fix permissions. From now on users can see (and edit, delete, etc) their own data

Location:
ow
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • ow/models/user.py

    r55470f9 r78af3d1  
    66import bcrypt
    77from repoze.folder import Folder
    8 from pyramid.security import Allow
     8from pyramid.security import Allow, Deny, Everyone, ALL_PERMISSIONS
    99
    1010from ow.catalog import get_catalog, reindex_object
     
    1818    def __acl__(self):
    1919        permissions = [
     20            (Allow, str(self.uid), 'view'),
    2021            (Allow, str(self.uid), 'edit'),
    21             (Allow, str(self.uid), 'view'),
     22            (Deny, Everyone, ALL_PERMISSIONS),
    2223        ]
    2324        return permissions
  • ow/models/workout.py

    r55470f9 r78af3d1  
    66import gpxpy
    77from repoze.folder import Folder
    8 from pyramid.security import Allow, Everyone
     8from pyramid.security import Allow, Deny, Everyone, ALL_PERMISSIONS
    99
    1010from ow.utilities import (
     
    2929        it (for now). If not, everybody can view it, only admins can edit it.
    3030        """
    31         # Default permissions
     31        uid = self.__parent__.uid
    3232        permissions = [
    33             (Allow, Everyone, 'view'),
    34             (Allow, 'group:admins', 'edit')
     33            (Allow, str(uid), 'view'),
     34            (Allow, str(uid), 'edit'),
     35            (Allow, str(uid), 'delete'),
     36            (Deny, Everyone, ALL_PERMISSIONS)
    3537        ]
    36 
    37         uid = getattr(self.__parent__, 'uid', None)
    38         if uid is not None:
    39             # Change permissions in case this workout has an owner
    40             permissions = [
    41                 (Allow, str(uid), 'view'),
    42                 (Allow, str(uid), 'edit'),
    43             ]
    4438        return permissions
    4539
  • ow/tests/models/test_user.py

    r55470f9 r78af3d1  
    33
    44import pytest
    5 from pyramid.security import Allow
     5from pyramid.security import Allow, Everyone, Deny, ALL_PERMISSIONS
    66
    77from ow.models.root import OpenWorkouts
     
    3333    def test__acl__(self, root):
    3434        uid = str(root['john'].uid)
    35         permissions = [(Allow, uid, 'edit'), (Allow, uid, 'view')]
     35        permissions = [
     36            (Allow, uid, 'view'),
     37            (Allow, uid, 'edit'),
     38            (Deny, Everyone, ALL_PERMISSIONS),
     39        ]
    3640        assert root['john'].__acl__() == permissions
    3741
  • ow/tests/models/test_workout.py

    r55470f9 r78af3d1  
    66
    77import pytest
    8 from pyramid.security import Allow, Everyone
     8from pyramid.security import Allow, Everyone, Deny, ALL_PERMISSIONS
    99
    1010from ow.models.workout import Workout
     
    3333    def test__acl__(self, root):
    3434        # First check permissions for a workout without parent
    35         permissions = [(Allow, Everyone, 'view'),
    36                        (Allow, 'group:admins', 'edit')]
    37         workout = Workout()
    38         assert workout.__acl__() == permissions
    39 
     35        workout = Workout()
     36        with pytest.raises(AttributeError):
     37            workout.__acl__()
    4038        # Now permissions on a workout that has been added to a user
    4139        uid = str(root['john'].uid)
    42         permissions = [(Allow, uid, 'view'), (Allow, uid, 'edit')]
    43         assert root['john']['1'].__acl__() == permissions
     40        workout = root['john']['1']
     41        permissions = [
     42            (Allow, uid, 'view'),
     43            (Allow, uid, 'edit'),
     44            (Allow, uid, 'delete'),
     45            (Deny, Everyone, ALL_PERMISSIONS)
     46        ]
     47        assert workout.__acl__() == permissions
    4448
    4549    def test_runthrough(self, root):
  • ow/views/workout.py

    r55470f9 r78af3d1  
    2323@view_config(
    2424    context=User,
     25    permission='edit',
    2526    name='add-workout-manually',
    2627    renderer='ow:templates/add_manual_workout.pt')
     
    5960@view_config(
    6061    context=User,
     62    permission='edit',
    6163    name='add-workout',
    6264    renderer='ow:templates/add_workout.pt')
     
    9395@view_config(
    9496    context=Workout,
     97    permission='edit',
    9598    name='edit',
    9699    renderer='ow:templates/edit_manual_workout.pt')
     
    139142@view_config(
    140143    context=Workout,
     144    permission='edit',
    141145    name='update-from-file',
    142146    renderer='ow:templates/update_workout_from_file.pt')
     
    167171@view_config(
    168172    context=Workout,
     173    permission='delete',
    169174    name='delete',
    170175    renderer='ow:templates/delete_workout.pt')
     
    184189@view_config(
    185190    context=Workout,
     191    permission='view',
    186192    renderer='ow:templates/workout.pt')
    187193def workout(context, request):
     
    212218    For now, simply return the gpx file if it has been attached to the
    213219    workout.
     220
     221    This view requires no permission, as we access it from an non-authenticated
     222    request in a separate job, to generate the static map screenshot.
    214223    """
    215224    if not context.has_gpx:
     
    229238def workout_map(context, request):
    230239    """
    231     Render a page that has only a map with tracking info
     240    Render a page that has only a map with tracking info.
     241    This view requires no permission, as we access it from an non-authenticated
     242    request in a separate job, to generate the static map screenshot.
    232243    """
    233244    start_point = {}
Note: See TracChangeset for help on using the changeset viewer.