Skip to content

Commit

Permalink
Merge pull request #352 from MetaCell/feature/SCKAN-341
Browse files Browse the repository at this point in the history
SCKAN-341 fix: Update isOwner permission to check for related entity …
  • Loading branch information
ddelpiano authored Nov 6, 2024
2 parents 64398c9 + 6f56191 commit 79c5ff8
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 23 deletions.
23 changes: 2 additions & 21 deletions backend/composer/api/permissions.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS:
return True

# Checks if creator is the owner of the related entity (if related entity exists)
if request.method == 'POST':
# If creating a new instance, ensure related entity ownership
if request.method == 'POST' and view.action == 'create':
return check_related_entity_ownership(request)

# For unsafe methods (PATCH, PUT, DELETE), allow only authenticated users
Expand Down Expand Up @@ -59,25 +59,6 @@ def has_object_permission(self, request, view, obj):
return obj.connectivity_statement.owner == request.user


class IsSentenceOrStatementOwnerOrSystemUserOrReadOnly(permissions.BasePermission):
"""
Custom permission to allow:
- System user to bypass all checks.
- Only the owner of a sentence or connectivity statement can create a note.
"""

def has_permission(self, request, view):
# Allow system user to bypass all checks
if request.user.username == 'system' and request.user.is_staff:
return True

# Allow read-only access (GET, HEAD, OPTIONS)
if request.method in permissions.SAFE_METHODS:
return True

# For POST (create), PUT, PATCH (update), or DELETE, check ownership
return check_related_entity_ownership(request)


def check_related_entity_ownership(request):
"""
Expand Down
5 changes: 3 additions & 2 deletions backend/composer/api/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@
BaseConnectivityStatementSerializer,
)
from .permissions import (
IsSentenceOrStatementOwnerOrSystemUserOrReadOnly,
IsStaffUserIfExportedStateInConnectivityStatement,
IsOwnerOrAssignOwnerOrCreateOrReadOnly,
IsOwnerOfConnectivityStatementOrReadOnly,
Expand Down Expand Up @@ -321,7 +320,9 @@ class NoteViewSet(viewsets.ModelViewSet):

queryset = Note.objects.all()
serializer_class = NoteSerializer
permission_classes = []
permission_classes = [
permissions.IsAuthenticatedOrReadOnly,
]
filterset_class = NoteFilter


Expand Down

0 comments on commit 79c5ff8

Please sign in to comment.