Merge pull request #251 from scitran/group-tag-perms

Return entire group obj to users with Read Only permissions

Merge pull request #251 from scitran/group-tag-perms
c9eb2437 · Megan Henning · 449e20c8 · 480f5908 · c9eb2437 · c9eb2437
Commit c9eb2437 authored 9 years ago by Megan Henning
--- a/api/auth/groupauth.py
+++ b/api/auth/groupauth.py
@@ -15,6 +15,8 @@ def default(handler, group=None):
                handler.abort(403, 'not allowed to perform operation')
            elif _get_access(handler.uid, handler.user_site, group) >= INTEGER_ROLES['admin']:
                pass
+            elif method == 'GET' and _get_access(handler.uid, handler.user_site, group) >= INTEGER_ROLES['ro']:
+                pass
            else:
                handler.abort(403, 'not allowed to perform operation')
            return exec_op(method, _id=_id, query=query, payload=payload, projection=projection)
@@ -39,7 +41,6 @@ def list_permission_checker(handler, uid=None):
                        query['roles'] = {'$elemMatch': {'_id': handler.uid, 'access': 'admin'}}
                    else:
                        query['roles._id'] = handler.uid
-                    projection['roles.$'] = 1
            log.debug(query)
            log.debug(projection)
            return exec_op(method, query=query, projection=projection)

--- a/api/handlers/grouphandler.py
+++ b/api/handlers/grouphandler.py
@@ -23,6 +23,8 @@ class GroupHandler(base.RequestHandler):
            self.abort(404, 'no such Group: ' + _id)
        permchecker = groupauth.default(self, group)
        result = permchecker(self.storage.exec_op)('GET', _id)
+        if not self.superuser_request:
+            self._filter_roles([result], self.uid, self.user_site)
        return result

    def delete(self, _id):
@@ -43,11 +45,13 @@ class GroupHandler(base.RequestHandler):
    def get_all(self, uid=None):
        self._init_storage()
        query = None
-        projection = {'name': 1, 'created': 1, 'modified': 1}
+        projection = {'name': 1, 'created': 1, 'modified': 1, 'roles': [], 'tags': []}
        permchecker = groupauth.list_permission_checker(self, uid)
        results = permchecker(self.storage.exec_op)('GET', projection=projection)
        if results is None:
            self.abort(404, 'Not found')
+        if not self.superuser_request:
+            self._filter_roles(results, self.uid, self.user_site)
        if self.debug:
            debuginfo.add_debuginfo(self, 'groups', results)
        return results
@@ -100,3 +104,13 @@ class GroupHandler(base.RequestHandler):
            return group
        else:
            self.abort(404, 'Group {} not found'.format(_id))
+
+    def _filter_roles(self, results, uid, site):
+        """
+        if the user is not admin only her role is returned.
+        """
+        for result in results:
+            user_perm = util.user_perm(result.get('roles', []), uid, site)
+            if user_perm.get('access') != 'admin':
+                result['roles'] = [user_perm] if user_perm else []
+        return results