Skip to content

Commit

Permalink
[assets] Fix is_shared assets permissions
Browse files Browse the repository at this point in the history 
Give proper access to non admin: retrieve only assets from projects the
user belongs to.
  • Loading branch information
@frankrousseau
frankrousseau committed Sep 15, 2024
1 parent a46cb3d commit 5bbf5fb
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 5 deletions.
11 changes: 7 additions & 4 deletions zou/app/blueprints/assets/resources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,10 @@ def check_criterion_access(criterions):
episode_id = criterions.get("episode_id", None)
project_id = shots_service.get_episode(episode_id)["project_id"]

if "is_shared" in criterions and project_id is None:
return permissions.check_manager_permissions()
if "project_id" in criterions:
user_service.check_project_access(project_id)

return user_service.check_project_access(project_id)
return True


class AssetResource(Resource, ArgsMixin):
Expand Down Expand Up @@ -110,7 +110,10 @@ def get(self):
criterions["assigned_to"] = persons_service.get_current_user()[
"id"
]
return assets_service.get_assets(criterions)
return assets_service.get_assets(
criterions,
is_admin=permissions.has_admin_permissions(),
)


class AllAssetsAliasResource(AllAssetsResource):
Expand Down
8 changes: 7 additions & 1 deletion zou/app/services/assets_service.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ def build_entity_type_asset_type_filter():
return ~EntityType.id.in_(ids_to_exclude)


def get_assets(criterions={}):
def get_assets(criterions={}, is_admin=False):
"""
Get all assets for given criterions.
"""
Expand All @@ -102,6 +102,12 @@ def get_assets(criterions={}):
query = query.outerjoin(Task)
query = query.filter(user_service.build_assignee_filter())

if "is_shared" in criterions:
if not is_admin:
query = (
query.join(Project).filter(user_service.build_team_filter())
)

if episode_id is not None:
# Filter based on main episode.
query = query.filter(Entity.source_id == episode_id)
Expand Down
1 change: 1 addition & 0 deletions zou/app/utils/query.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ def apply_criterions_to_db_query(model, db_query, criterions):
)
else:
filters[key] = cast_value(value, field_key)

if filters:
db_query = db_query.filter_by(**filters)

Expand Down

0 comments on commit 5bbf5fb

Please sign in to comment.