def check_permission (*args, **kwargs):
allowed_check_params = ['host_id', 'host_group_id']
url_params = kwargs
if request.method == "POST":
url_params = dict(url_params, **request.form)
params_to_check = {}
params_not_to_check = {}
for key in url_params.keys():
if key in allowed_check_params:
try:
splitted = url_params[key].split(',')
params_to_check[key] = [uuid.UUID(x).hex for x in splitted]
except:
raise AssertionError("arg '%s' is not an UUID" % url_params[key])
else:
params_not_to_check[key] = url_params[key]
if not params_to_check:
# No need to check anything.
return func(*args, **kwargs)
params_checked = {}
for key, value in params_to_check.iteritems():
filtered = filter(lambda x: current_user.is_allowed(x, kind=key), value)
if filtered:
params_checked[key] = ','.join(filtered)
if not params_checked:
return make_error("User '%s' does not have any permission on the specified assets" % current_user.login, 403)
params = dict(params_not_to_check, **params_checked)
return func(*args, **params)
def delete_task(id):
task = Task.query.get_or_404(id)
worker_nickname = task.worker.nickname
if current_user != task.manager and \
not current_user.is_allowed(Permission.ADMINISTRATING):
abort(403)
task.delete()
db.session.commit()
flash('The task has deleted', category='success')
return redirect(url_for('.user', nickname=worker_nickname))
def add_new_task():
form = TaskForm()
if current_user.is_allowed(Permission.USER_M) and \
form.validate_on_submit():
task = Task(title=form.title.data,
description=form.description.data,
assigned_to=form.worker.data,
manager=current_user._get_current_object(),
timelimit=form.timelimit.data,
price=form.price.data)
db.session.add(task)
worker_nickname = task.worker.nickname
db.session.commit()
flash('The task has been added', category='success')
return redirect(url_for('.user', nickname=worker_nickname))
return render_template('new_task.html', form=form)
def edit_task(id):
task = Task.query.get_or_404(id)
if current_user != task.manager and \
not current_user.is_allowed(Permission.ADMINISTRATING):
abort(403)
current_worker = task.worker
form = TaskForm()
if form.validate_on_submit():
task.title = form.title.data
task.description = form.description.data
task.assigned_to = form.worker.data
task.timelimit = form.timelimit.data
task.price = form.price.data
db.session.add(task)
db.session.commit()
flash('The task has been updated', category='success')
return redirect(url_for('.user', nickname=current_worker.nickname))
form.title.data = task.title
form.description.data = task.description
form.worker.data = task.assigned_to
form.timelimit.data = task.timelimit
form.price.data = task.price
return render_template('edit_task.html', form=form)
def before_request():
if current_user.is_anonymous() or not current_user.is_allowed():
abort(401)
def decorated_function(*args, **kwargs):
if not current_user.is_allowed(permission):
abort(403)
return f(*args, **kwargs)