def if_resource_owner(resource, user):
if not has_role(user, 'flod_brukere'):
return False
# Check if resource is actually a model with a resource property
# (e.g. Application)
if hasattr(resource, 'resource'):
resource = resource.resource
resource_details = get_resource_from_web(resource.uri)
resource_id = resource_details.get('id')
if resource_id is None:
return False
return can_user_edit_facility(user['id'], resource_id, request.cookies)
def validate(self, f, *args, **kwargs):
if kwargs.get("facility_id", None): # the normal case: a faility
facility_id = kwargs["facility_id"]
elif kwargs.get("image_id", None): # an image related to a facility
image = current_app.db_session.query(Image).get(kwargs["image_id"])
facility_id = image.facility_id
elif kwargs.get("document_id", None): # a document related to a facility
document = current_app.db_session.query(Document).get(kwargs["document_id"])
facility_id = document.facility_id
elif request.form.get('facilityId', None): # POST image/document with facility id in form
facility_id = request.form.get('facilityId')
#this should cover all cases where this decorator is used
user_id = repo.get_user_id_for_user(cookies=request.cookies)
valid = user_id and repo.can_user_edit_facility(user_id, facility_id,
cookies=request.cookies)
if not valid:
self.fail("You do not have privileges to edit facility %s." % facility_id,
f, 403, None, *args, **kwargs)
