controllers/config.py Restrict config route access

Added permission checks to config route

controllers/config.py Restrict config route access
Added permission checks to config route
fe822216 · HERBERT Ryan · d355fe26 · fe822216
Commit fe822216 authored Apr 18, 2016 by HERBERT Ryan
--- a/server/web2py/applications/vidjil/controllers/config.py
+++ b/server/web2py/applications/vidjil/controllers/config.py
 # coding: utf8
 import gluon.contrib.simplejson
+from controller_utils import error_message
 if request.env.http_origin:
    response.headers['Access-Control-Allow-Origin'] = request.env.http_origin  
    response.headers['Access-Control-Allow-Credentials'] = 'true'
@@ -36,13 +37,25 @@ def add_form():

    if error=="" :
        
-        db.config.insert(name=request.vars['config_name'],
+        config_id = db.config.insert(name=request.vars['config_name'],
                        info=request.vars['config_info'],
                        command=request.vars['config_command'],
                        fuse_command=request.vars['config_fuse_command'],
                        program=request.vars['config_program']
                        )

+        user_group = None
+        group_ids = list(auth.user_groups.keys())
+        for gid in group_ids:
+            if (auth.user_groups[gid] != 'public'):
+                user_group = gid
+                break
+
+        db.auth_permission.insert(group_id=user_group,
+                                name='create',
+                                table_name='config',
+                                record_id=config_id)
+
        res = {"redirect": "config/index",
               "message": "config '%s' added" % request.vars['config_name']}
        log.admin(res)
@@ -54,13 +67,18 @@ def add_form():
        return gluon.contrib.simplejson.dumps(res, separators=(',',':'))


-def edit(): 
-    return dict(message=T('edit config'))
+def edit():
+    if (auth.can_modify_config(request.vars['config_id'])):
+        return dict(message=T('edit config'))
+    return error_message(ACCESS_DENIED)


 def edit_form(): 
    error =""

+    if (auth.can_modify_config(request.vars['config_id'])):
+        error += "ACCESS_DENIED"
+
    required_fields = ['id', 'config_name', 'config_command', 'config_fuse_command', 'config_program']
    for field in required_fields:
        if request.vars[field] == "" :
@@ -87,19 +105,23 @@ def edit_form():
        return gluon.contrib.simplejson.dumps(res, separators=(',',':'))

 def confirm():
-    return dict(message=T('confirm config deletion'))
+    if (auth.can_modify_config(request.vars['id'])):
+        return dict(message=T('confirm config deletion'))
+    return error_message(ACCESS_DENIED)

 def delete():
-    #delete results_file using this config
-    db(db.results_file.config_id==request.vars["id"]).delete()
-    
-    #delete config
-    db(db.config.id==request.vars["id"]).delete() 
-    
-    res = {"redirect": "config/index",
-           "message": "config '%s' deleted" % request.vars["id"]}
-    log.admin(res)
-    return gluon.contrib.simplejson.dumps(res, separators=(',',':'))
+    if (auth.can_modify_config(request.vars['id'])):
+        #delete results_file using this config
+        db(db.results_file.config_id==request.vars["id"]).delete()
+
+        #delete config
+        db(db.config.id==request.vars["id"]).delete()
+
+        res = {"redirect": "config/index",
+               "message": "config '%s' deleted" % request.vars["id"]}
+        log.admin(res)
+        return gluon.contrib.simplejson.dumps(res, separators=(',',':'))
+    return error_message(ACCESS_DENIED)


 def permission():