Skip to content

Commit

Permalink
fix: [trackers] fix tracker view objects acl for global trackers
Browse files Browse the repository at this point in the history
  • Loading branch information
Terrtia committed Jun 24, 2024
1 parent 1c0468e commit 3d3b4d6
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 1 deletion.
16 changes: 16 additions & 0 deletions bin/lib/Tracker.py
Original file line number Diff line number Diff line change
Expand Up @@ -762,6 +762,9 @@ def delete_obj_trackers(obj_type, subtype, obj_id):
#### TRACKERS ACL ####

## LEVEL ##
def is_tracker_global_level(tracker_uuid):
return r_tracker.hget(f'tracker:{tracker_uuid}', 'level') == 1

def is_tracked_in_global_level(tracked, tracker_type):
for tracker_uuid in get_trackers_by_tracked(tracker_type, tracked):
tracker = Tracker(tracker_uuid)
Expand Down Expand Up @@ -805,6 +808,19 @@ def api_is_allowed_to_edit_tracker(tracker_uuid, user_id):
return {"status": "error", "reason": "Access Denied"}, 403
return {"uuid": tracker_uuid}, 200


def api_is_allowed_to_access_tracker(tracker_uuid, user_id):
if not is_valid_uuid_v4(tracker_uuid):
return {"status": "error", "reason": "Invalid uuid"}, 400
tracker_creator = r_tracker.hget('tracker:{}'.format(tracker_uuid), 'user_id')
if not tracker_creator:
return {"status": "error", "reason": "Unknown uuid"}, 404
user = User(user_id)
if not is_tracker_global_level(tracker_uuid):
if not user.is_in_role('admin') and user_id != tracker_creator:
return {"status": "error", "reason": "Access Denied"}, 403
return {"uuid": tracker_uuid}, 200

##-- ACL --##

#### FIX DB #### TODO ###################################################################
Expand Down
2 changes: 1 addition & 1 deletion var/www/blueprints/hunters.py
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ def tracked_menu_admin():
def show_tracker():
user_id = current_user.get_id()
tracker_uuid = request.args.get('uuid', None)
res = Tracker.api_is_allowed_to_edit_tracker(tracker_uuid, user_id)
res = Tracker.api_is_allowed_to_access_tracker(tracker_uuid, user_id)
if res[1] != 200: # invalid access
return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]

Expand Down

0 comments on commit 3d3b4d6

Please sign in to comment.