taiga
/
taiga-back
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixed BasePermission to check object owner and project owner too

remotes/origin/enhancement/email-actions
David Barragán Merino 2013-10-07 17:11:50 +02:00
parent 14a2d7f283
commit 797e37d3c0
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
greenmine/base/permissions.py
View File

@ -27,13 +27,23 @@ class BasePermission(permissions.BasePermission):
path_to_project = [] path_to_project = []
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
# Safe method
if request.method in self.safe_methods: if request.method in self.safe_methods:
return True return True
# Object owner
if getattr(obj, "owner", None) == request.user:
return True
project_obj = obj project_obj = obj
for attrib in self.path_to_project: for attrib in self.path_to_project:
project_obj = getattr(project_obj, attrib) project_obj = getattr(project_obj, attrib)
# Project owner
if project_obj.owner == request.user:
return True
# Members permissions
if request.method == "GET": if request.method == "GET":
return has_project_perm(request.user, project_obj, self.get_permission) return has_project_perm(request.user, project_obj, self.get_permission)