def before_post(*args, **kwargs):
data = kwargs['data']
runner_id = data.get('user')
if not runner_id:
raise_permission_denied_exception(
"Please provide a User relationship for the Run")
user = get_user_from_jwt()
if not (user.id == runner_id or user.has_role("admin")):
raise_permission_denied_exception(
"User doesn't have permission to create Run for another user")
def before_post(*args, **kwargs):
"""
Validates authorization for POST requests.
"""
data = kwargs['data']
privileged_roles = [
role.name for role in Role.query.filter_by(privileged=True).all()
]
if list(set(privileged_roles) & set(data['roles'])):
# Only Admin can create privileged users.
user = get_user_from_jwt()
if not user or not user.has_role("admin"):
raise_permission_denied_exception(
"Only admins can create users with privileged roles")
def before_delete_object(self, obj, view_kwargs):
if not UserDetail.is_allowed_to_modify(obj):
raise_permission_denied_exception(
"User doesn't have permission to access the resource.")
def before_get_object(self, view_kwargs):
if not UserDetail.self_or_privileged_user(view_kwargs.get('id')):
raise_permission_denied_exception(
"User doesn't have permission to access the resource.")
def before_delete_object(self, obj, view_kwargs):
if not RunDetail.is_self_run_or_admin_role(view_kwargs.get('id'), obj):
raise_permission_denied_exception(
"User doesn't have permission to access the resource.")