chg: [items] check obj invesigations acl

otp
terrtia 2024-09-03 16:34:53 +02:00
parent cb45e06ebc
commit cbe09c87c4
No known key found for this signature in database
GPG Key ID: 1E1B1F50D84613D0
2 changed files with 11 additions and 0 deletions

View File

@ -125,6 +125,13 @@ class Investigation(object):
ail_orgs.remove_obj_to_org(self.get_org(), 'investigation', self.uuid) ail_orgs.remove_obj_to_org(self.get_org(), 'investigation', self.uuid)
self.set_level(new_level, new_org_uuid) self.set_level(new_level, new_org_uuid)
def check_level(self, user_org):
level = self.get_level()
if level == 1:
return True
elif level == 2:
return self.get_org() == user_org
## ORG ## ## ORG ##
def get_creator_org(self): def get_creator_org(self):

View File

@ -62,6 +62,7 @@ def screenshot(filename):
@login_required @login_required
@login_read_only @login_read_only
def showItem(): # # TODO: support post def showItem(): # # TODO: support post
user_org = current_user.get_org()
item_id = request.args.get('id') item_id = request.args.get('id')
if not item_id or not item_basic.exist_item(item_id): if not item_id or not item_basic.exist_item(item_id):
abort(404) abort(404)
@ -80,6 +81,9 @@ def showItem(): # # TODO: support post
invests = [] invests = []
for investigation_uuid in meta['investigations']: for investigation_uuid in meta['investigations']:
inv = Investigations.Investigation(investigation_uuid) inv = Investigations.Investigation(investigation_uuid)
if not inv.check_level(user_org):
continue
invests.append(inv.get_metadata(r_str=True)) invests.append(inv.get_metadata(r_str=True))
meta['investigations'] = invests meta['investigations'] = invests
else: else: