def if_resource_owner(resource, user): if not has_role(user, 'flod_brukere'): return False # Check if resource is actually a model with a resource property # (e.g. Application) if hasattr(resource, 'resource'): resource = resource.resource resource_details = get_resource_from_web(resource.uri) resource_id = resource_details.get('id') if resource_id is None: return False return can_user_edit_facility(user['id'], resource_id, request.cookies)
def validate(self, f, *args, **kwargs): if kwargs.get("facility_id", None): # the normal case: a faility facility_id = kwargs["facility_id"] elif kwargs.get("image_id", None): # an image related to a facility image = current_app.db_session.query(Image).get(kwargs["image_id"]) facility_id = image.facility_id elif kwargs.get("document_id", None): # a document related to a facility document = current_app.db_session.query(Document).get(kwargs["document_id"]) facility_id = document.facility_id elif request.form.get('facilityId', None): # POST image/document with facility id in form facility_id = request.form.get('facilityId') #this should cover all cases where this decorator is used user_id = repo.get_user_id_for_user(cookies=request.cookies) valid = user_id and repo.can_user_edit_facility(user_id, facility_id, cookies=request.cookies) if not valid: self.fail("You do not have privileges to edit facility %s." % facility_id, f, 403, None, *args, **kwargs)