From 5afb84bc0a3028aab37c21680bfed14887beccc7 Mon Sep 17 00:00:00 2001 From: j <0x006A@0x2620.org> Date: Sun, 2 Jun 2013 10:40:41 +0000 Subject: [PATCH] check canManageUsers capability to provide access to manage users api, fixes #1564 --- pandora/user/decorators.py | 17 +++++++++++++++++ pandora/user/views.py | 10 +++++----- 2 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 pandora/user/decorators.py diff --git a/pandora/user/decorators.py b/pandora/user/decorators.py new file mode 100644 index 000000000..a8ba8bb8f --- /dev/null +++ b/pandora/user/decorators.py @@ -0,0 +1,17 @@ +# -*- coding: utf-8 -*- +# vi:si:et:sw=4:sts=4:ts=4 +try: + from django.contrib.auth.decorators import wraps +except: + from django.utils.functional import wraps +from ox.django.shortcuts import render_to_json_response, json_response + +def capability_required_json(capability): + def capability_required(function=None): + def _wrapped_view(request, *args, **kwargs): + if request.user.is_authenticated() and \ + request.user.get_profile().capability(capability): + return function(request, *args, **kwargs) + return render_to_json_response(json_response(status=403, text='permissino denied')) + return wraps(function)(_wrapped_view) + return capability_required diff --git a/pandora/user/views.py b/pandora/user/views.py index b7b1913c2..fb7d0aeec 100644 --- a/pandora/user/views.py +++ b/pandora/user/views.py @@ -13,7 +13,7 @@ from django.db.models import Max from django.contrib.auth.models import User, Group from ox.django.shortcuts import render_to_json_response, json_response, get_object_or_404_json -from ox.django.decorators import admin_required_json, login_required_json +from ox.django.decorators import login_required_json import ox @@ -22,7 +22,7 @@ from item.models import Access, Item from item import utils import models - +from decorators import capability_required_json def signin(request): ''' @@ -303,7 +303,7 @@ def requestToken(request): actions.register(requestToken, cache=False) -@admin_required_json +@capability_required_json('canManageUsers') def editUser(request): ''' takes { @@ -356,7 +356,7 @@ def editUser(request): return render_to_json_response(response) actions.register(editUser, cache=False) -@admin_required_json +@capability_required_json('canManageUsers') def removeUser(request): ''' takes { @@ -440,7 +440,7 @@ def order_query(qs, sort): qs = qs.order_by(*order_by, nulls_last=True) return qs -@admin_required_json +@capability_required_json('canManageUsers') def findUsers(request): ''' takes {