file.py add permissions check to edit_form

when editing a file, a permissions check was missing after having submitted the form. Meaning if a user were to guess the correct identification string, it was possible to upload files to a sample_set which the user did not have access to.

file.py add permissions check to edit_form
when editing a file, a permissions check was missing after having submitted the form. Meaning if a user were to guess the correct identification string, it was possible to upload files to a sample_set which the user did not have access to.
cf44a5a0 · Ryan Herbert · a4e7ce8d · cf44a5a0
Commit cf44a5a0 authored Jan 23, 2017 by Ryan Herbert
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

server/web2py/applications/vidjil/controllers/file.py server/web2py/applications/vidjil/controllers/file.py +7 -0

No files found.
--- a/server/web2py/applications/vidjil/controllers/file.py
+++ b/server/web2py/applications/vidjil/controllers/file.py
@@ -346,10 +346,17 @@ def edit_form():

    if request.vars['patient_id'] != '' :
        patient_id = int(request.vars['patient_id'].split('(')[-1][:-1])
+        if not auth.can_modify_patient(patient_id):
+            error += "permission denied to edit patient %d" % patient_id
    if request.vars['run_id'] != '' :
        run_id = int(request.vars['run_id'].split('(')[-1][:-1])
+        if not auth.can_modify_run(run_id):
+            error += "permission denied to edit run %d" % run_id
    if request.vars['generic_id'] != '' :
        generic_id = int(request.vars['generic_id'].split('(')[-1][:-1])
+        generic = db.generic[generic_id]
+        if not auth.can_modify_sample_set(generic.sample_set_id):
+            error += "permission denied to edit sample_set %d" % generic_id
    if request.vars['id'] == None :
        error += "missing id"
    if request.vars['filename'] == None :