Skip to content
Snippets Groups Projects
Commit 62442663 authored by Gunnar Schaefer's avatar Gunnar Schaefer
Browse files

lock down user and groups routes

parent 60da5c51
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
experiments.py
+ 6
1
View file @ 62442663
...@@ -59,7 +59,12 @@ class Experiments(nimsapiutil.NIMSRequestHandler): ...@@ -59,7 +59,12 @@ class Experiments(nimsapiutil.NIMSRequestHandler):
def get(self): def get(self):
"""Return the list of Experiments.""" """Return the list of Experiments."""
query = {'permissions.uid': self.uid} if not self.user_is_superuser else None query = None
if not self.user_is_superuser:
if self.request.get('admin').lower() in ('1', 'true'):
query = {'permissions': {'$elemMatch': {'uid': self.uid, 'role': 'admin'}}}
else:
query = {'permissions.uid': self.uid}
projection = {'group': 1, 'name': 1, 'timestamp': 1, 'notes': 1, 'permissions': {'$elemMatch': {'uid': self.uid}}} projection = {'group': 1, 'name': 1, 'timestamp': 1, 'notes': 1, 'permissions': {'$elemMatch': {'uid': self.uid}}}
experiments = list(self.app.db.experiments.find(query, projection)) experiments = list(self.app.db.experiments.find(query, projection))
for exp in experiments: for exp in experiments:
......
users.py
+ 21
2
View file @ 62442663
...@@ -60,6 +60,8 @@ class Users(nimsapiutil.NIMSRequestHandler): ...@@ -60,6 +60,8 @@ class Users(nimsapiutil.NIMSRequestHandler):
def get(self): def get(self):
"""Return the list of Users.""" """Return the list of Users."""
if self.uid == '@public':
self.abort(403, 'must be logged in to retrieve User list')
return list(self.app.db.users.find({}, ['firstname', 'lastname', 'email_hash'])) return list(self.app.db.users.find({}, ['firstname', 'lastname', 'email_hash']))
def put(self): def put(self):
...@@ -110,6 +112,8 @@ class User(nimsapiutil.NIMSRequestHandler): ...@@ -110,6 +112,8 @@ class User(nimsapiutil.NIMSRequestHandler):
def get(self, uid): def get(self, uid):
"""Return User details.""" """Return User details."""
if self.uid == '@public':
self.abort(403, 'must be logged in to retrieve User info')
projection = [] projection = []
if self.request.get('remotes') in ('1', 'true'): if self.request.get('remotes') in ('1', 'true'):
projection += ['remotes'] projection += ['remotes']
...@@ -178,7 +182,19 @@ class Groups(nimsapiutil.NIMSRequestHandler): ...@@ -178,7 +182,19 @@ class Groups(nimsapiutil.NIMSRequestHandler):
def get(self): def get(self):
"""Return the list of Groups.""" """Return the list of Groups."""
return list(self.app.db.groups.find(None, ['name'])) query = None
if not self.user_is_superuser:
if self.request.get('admin').lower() in ('1', 'true'):
query = {'roles': {'$elemMatch': {'uid': self.uid, 'role': 'admin'}}}
elif self.request.get('experiment_permissions').lower() in ('1', 'true'):
experiments = [exp['_id'] for exp in self.app.db.experiments.aggregate([
{'$match': {'permissions.uid': self.uid}},
{'$group': {'_id': '$group'}},
])['result']]
query = {'_id': {'$in': experiments}}
else:
query = {'roles.uid': self.uid}
return list(self.app.db.groups.find(query, ['name']))
def put(self): def put(self):
"""Update many Groups.""" """Update many Groups."""
...@@ -229,7 +245,10 @@ class Group(nimsapiutil.NIMSRequestHandler): ...@@ -229,7 +245,10 @@ class Group(nimsapiutil.NIMSRequestHandler):
"""Return Group details.""" """Return Group details."""
group = self.app.db.groups.find_one({'_id': gid}) group = self.app.db.groups.find_one({'_id': gid})
if not group: if not group:
self.abort(404, 'no such Group') self.abort(404, 'no such Group: ' + gid)
group = self.app.db.groups.find_one({'_id': gid, 'roles': {'$elemMatch': {'uid': self.uid, 'role': 'admin'}}})
if not group:
self.abort(403, 'User ' + self.uid + ' is not an admin on Group ' + gid)
return group return group
def put(self, gid): def put(self, gid):
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment