Implement proper permission check for template details

b29365a5 · Szabolcs Gelencser · d3079ae0 · b29365a5
Commit b29365a5 authored May 31, 2018 by Szabolcs Gelencser
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 8 deletions

circle/dashboard/views/template.py
+15 -8

No files found.
--- a/circle/dashboard/views/template.py
+++ b/circle/dashboard/views/template.py
@@ -20,6 +20,7 @@ from datetime import timedelta
 import json
 import logging
+import openstack_api
 from braces.views._access import AccessMixin
 from django.contrib import messages
 from django.contrib.auth.models import User
@@ -219,7 +220,7 @@ class TemplateList(LoginRequiredMixin, FilterMixin, SingleTableView):
        context['search_form'] = self.search_form
-        #TODO: what is this?
+        # TODO: what is this?
        # tem0for t in InstanceTemplate.objects.all()
        # #  if t.instance_set.count() < 1]
@@ -279,6 +280,7 @@ class TemplateList(LoginRequiredMixin, FilterMixin, SingleTableView):
    def get_queryset(self):
        return InstanceTemplate.objects.filter(owner_id=self.request.user.id)
 class TemplateDelete(DeleteViewBase):
    model = InstanceTemplate
    success_message = _("Template successfully deleted.")
@@ -292,19 +294,23 @@ class TemplateDelete(DeleteViewBase):
        object.delete()
 class TemplateDetail(LoginRequiredMixin, GraphMixin, SuccessMessageMixin, UpdateView):
    model = InstanceTemplate
    template_name = "dashboard/template-edit.html"
    form_class = TemplateForm
    success_message = _("Successfully modified template.")
+    def __get_snapshot_ids(self, request):
+        images = openstack_api.glance.image_list_detailed(request)[0]  # TODO: why nested lists?
+        return [
+            i.id for i in images if hasattr(i, 'image_location') and i.image_location == 'snapshot'
+        ]
    def get(self, request, *args, **kwargs):
        template = self.get_object()
-        #TODO: multiple users
+        snapshot_ids = self.__get_snapshot_ids(request)
-        if template.owner_id != request.user.id:
+        if template.image_id not in snapshot_ids:
            raise PermissionDenied()
        if request.is_ajax():
@@ -392,10 +398,10 @@ class TemplateDetail(LoginRequiredMixin, GraphMixin, SuccessMessageMixin, Update
        return reverse_lazy("dashboard.views.template-detail",
                            kwargs=self.kwargs)
-    def post(self, request):
+    def post(self, request, *args, **kwargs):
        template = self.get_object()
-        # TODO: multiple users
+        snapshot_ids = self.__get_snapshot_ids(request)
-        if template.owner_id != request.user.id:
+        if template.image_id not in snapshot_ids:
            raise PermissionDenied()
        return super(TemplateDetail, self).post(self, request, args, kwargs)
@@ -404,6 +410,7 @@ class TemplateDetail(LoginRequiredMixin, GraphMixin, SuccessMessageMixin, Update
        kwargs['user'] = self.request.user
        return kwargs
 #
 # class DiskRemoveView(DeleteViewBase):
 #     model = Disk