TiagoRG
/
sio-2425
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Permission check for already implemented functions 

Signed-off-by: Tiago Garcia <tiago.rgarcia@ua.pt>
This commit is contained in:
Tiago Garcia 2024-12-15 02:20:26 +00:00
parent 17cbf845c7
commit 5e21a77c5d
Signed by: TiagoRG
GPG Key ID: DFCD48E3F420DB42
3 changed files with 19 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
delivery2/server/routes/file.py
View File

@ -2,7 +2,7 @@ import json
from flask import Blueprint, request, jsonify, send_file, Response from flask import Blueprint, request, jsonify, send_file, Response
import utils from utils import Perm, get_hex_from_temp_file, get_hash, check_valid_time
from services import FileService, OrganizationService, UserService, SessionService from services import FileService, OrganizationService, UserService, SessionService
file_bp = Blueprint("file", __name__) file_bp = Blueprint("file", __name__)
@ -22,7 +22,7 @@ def file_get_content(file_handle: str):
@file_bp.route("/get/<string:document_handle>/metadata", methods=["GET"]) @file_bp.route("/get/<string:document_handle>/metadata", methods=["GET"])
def file_get_metadata(document_handle: str): def file_get_metadata(document_handle: str):
session_token = request.headers.get("Authorization") session_token = request.headers.get("Authorization")
session = SessionService.validate_session(session_token) session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_READ])
if isinstance(session, tuple): if isinstance(session, tuple):
return session return session
@ -41,7 +41,7 @@ def file_get_metadata(document_handle: str):
def file_upload_metadata(): def file_upload_metadata():
session_token = request.headers.get("Authorization") session_token = request.headers.get("Authorization")
print(session_token) print(session_token)
session = SessionService.validate_session(session_token) session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_NEW])
if isinstance(session, tuple): if isinstance(session, tuple):
return session return session
@ -69,7 +69,7 @@ def file_upload_content():
if not session_token: if not session_token:
return jsonify({"error": "No session token"}), 400 return jsonify({"error": "No session token"}), 400
session = SessionService.validate_session(session_token) session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_NEW])
if isinstance(session, tuple): if isinstance(session, tuple):
return session return session
@ -83,13 +83,13 @@ def file_upload_content():
if not file: if not file:
return jsonify({"error": "Invalid file data"}), 400 return jsonify({"error": "Invalid file data"}), 400
file_data = utils.get_hex_from_temp_file(file.stream) file_data = get_hex_from_temp_file(file.stream)
file_sum = request.headers.get("File-Checksum") file_sum = request.headers.get("File-Checksum")
if not file_sum: if not file_sum:
return jsonify({"error": "No file checksum provided"}), 400 return jsonify({"error": "No file checksum provided"}), 400
if file_sum != str(utils.get_hash(file_data)): if file_sum != str(get_hash(file_data)):
return jsonify({"error": "File checksum mismatch"}), 400 return jsonify({"error": "File checksum mismatch"}), 400
file = upload_service.write_file(session_token, file_sum, file_data) file = upload_service.write_file(session_token, file_sum, file_data)
@ -131,12 +131,12 @@ def file_list():
return jsonify({"error": "User not found"}), 404 return jsonify({"error": "User not found"}), 404
files = FileService.list_files_in_org(org) files = FileService.list_files_in_org(org)
return jsonify([file.to_dict() for file in files if file.creator_id == user.id and ( return jsonify([file.to_dict() for file in files if file.creator_id == user.id and (
utils.check_valid_time(file.created_at, datetime_value, datetime_relation) check_valid_time(file.created_at, datetime_value, datetime_relation)
if "datetime" in data else True if "datetime" in data else True
)]) )])
files = FileService.list_files_in_org(org) files = FileService.list_files_in_org(org)
return jsonify([file.to_dict() for file in files if (utils.check_valid_time(file.created_at, datetime_value, datetime_relation) if "datetime" in data else True)]) return jsonify([file.to_dict() for file in files if (check_valid_time(file.created_at, datetime_value, datetime_relation) if "datetime" in data else True)])
@file_bp.route("/delete/<string:document_handle>", methods=["POST"]) @file_bp.route("/delete/<string:document_handle>", methods=["POST"])
@ -145,7 +145,7 @@ def file_delete(document_handle: str):
if not session_token: if not session_token:
return jsonify({"error": "No session token"}), 400 return jsonify({"error": "No session token"}), 400
session = SessionService.validate_session(session_token) session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_DELETE])
if isinstance(session, tuple): if isinstance(session, tuple):
return session return session

7
delivery2/server/routes/user.py
View File

@ -2,6 +2,7 @@ import json
import utils import utils
from flask import Blueprint, request, jsonify from flask import Blueprint, request, jsonify
from services import UserService, SessionService, OrganizationService from services import UserService, SessionService, OrganizationService
from utils import Perm
user_bp = Blueprint("user", __name__) user_bp = Blueprint("user", __name__)
@ -74,7 +75,7 @@ def user_create():
if not session_token: if not session_token:
return jsonify({"error": "No session token"}), 400 return jsonify({"error": "No session token"}), 400
session = SessionService.validate_session(session_token) session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_NEW])
if isinstance(session, tuple): if isinstance(session, tuple):
return session return session
@ -108,7 +109,7 @@ def user_suspend(username):
if not session_token: if not session_token:
return jsonify({"error": "No session token"}), 400 return jsonify({"error": "No session token"}), 400
session = SessionService.validate_session(session_token) session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_DOWN])
if isinstance(session, tuple): if isinstance(session, tuple):
return session return session
@ -129,7 +130,7 @@ def user_unsuspend(username):
if not session_token: if not session_token:
return jsonify({"error": "No session token"}), 400 return jsonify({"error": "No session token"}), 400
session = SessionService.validate_session(session_token) session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_UP])
if isinstance(session, tuple): if isinstance(session, tuple):
return session return session

7
delivery2/server/services/sessions.py
View File

@ -33,7 +33,7 @@ class SessionService:
db.commit() db.commit()
@staticmethod @staticmethod
def validate_session(token: str) -> tuple | Session: def validate_session(token: str, required_perms: list[Perm] = None) -> tuple | Session:
from services import OrganizationService from services import OrganizationService
if "Bearer" in token: if "Bearer" in token:
@ -51,6 +51,11 @@ class SessionService:
if status != "active": if status != "active":
return jsonify({"error": "User is not active"}), 403 return jsonify({"error": "User is not active"}), 403
if required_perms:
for perm in required_perms:
if not SessionService.check_permission(session, perm):
return jsonify({"error": f"Permission denied, missing required permission: {perm}"}), 403
return session return session
@staticmethod @staticmethod