mirror of https://github.com/CIRCL/AIL-framework
fix: [trackers] fix tracker view objects acl for global trackers
parent
1c0468e7c0
commit
3d3b4d6da2
|
@ -762,6 +762,9 @@ def delete_obj_trackers(obj_type, subtype, obj_id):
|
||||||
#### TRACKERS ACL ####
|
#### TRACKERS ACL ####
|
||||||
|
|
||||||
## LEVEL ##
|
## LEVEL ##
|
||||||
|
def is_tracker_global_level(tracker_uuid):
|
||||||
|
return r_tracker.hget(f'tracker:{tracker_uuid}', 'level') == 1
|
||||||
|
|
||||||
def is_tracked_in_global_level(tracked, tracker_type):
|
def is_tracked_in_global_level(tracked, tracker_type):
|
||||||
for tracker_uuid in get_trackers_by_tracked(tracker_type, tracked):
|
for tracker_uuid in get_trackers_by_tracked(tracker_type, tracked):
|
||||||
tracker = Tracker(tracker_uuid)
|
tracker = Tracker(tracker_uuid)
|
||||||
|
@ -805,6 +808,19 @@ def api_is_allowed_to_edit_tracker(tracker_uuid, user_id):
|
||||||
return {"status": "error", "reason": "Access Denied"}, 403
|
return {"status": "error", "reason": "Access Denied"}, 403
|
||||||
return {"uuid": tracker_uuid}, 200
|
return {"uuid": tracker_uuid}, 200
|
||||||
|
|
||||||
|
|
||||||
|
def api_is_allowed_to_access_tracker(tracker_uuid, user_id):
|
||||||
|
if not is_valid_uuid_v4(tracker_uuid):
|
||||||
|
return {"status": "error", "reason": "Invalid uuid"}, 400
|
||||||
|
tracker_creator = r_tracker.hget('tracker:{}'.format(tracker_uuid), 'user_id')
|
||||||
|
if not tracker_creator:
|
||||||
|
return {"status": "error", "reason": "Unknown uuid"}, 404
|
||||||
|
user = User(user_id)
|
||||||
|
if not is_tracker_global_level(tracker_uuid):
|
||||||
|
if not user.is_in_role('admin') and user_id != tracker_creator:
|
||||||
|
return {"status": "error", "reason": "Access Denied"}, 403
|
||||||
|
return {"uuid": tracker_uuid}, 200
|
||||||
|
|
||||||
##-- ACL --##
|
##-- ACL --##
|
||||||
|
|
||||||
#### FIX DB #### TODO ###################################################################
|
#### FIX DB #### TODO ###################################################################
|
||||||
|
|
|
@ -145,7 +145,7 @@ def tracked_menu_admin():
|
||||||
def show_tracker():
|
def show_tracker():
|
||||||
user_id = current_user.get_id()
|
user_id = current_user.get_id()
|
||||||
tracker_uuid = request.args.get('uuid', None)
|
tracker_uuid = request.args.get('uuid', None)
|
||||||
res = Tracker.api_is_allowed_to_edit_tracker(tracker_uuid, user_id)
|
res = Tracker.api_is_allowed_to_access_tracker(tracker_uuid, user_id)
|
||||||
if res[1] != 200: # invalid access
|
if res[1] != 200: # invalid access
|
||||||
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue