diff options
| author | Lars Wirzenius <liw@liw.fi> | 2018-11-05 10:50:17 +0200 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2018-11-05 10:50:17 +0200 |
| commit | ccc9b9f17eb08977cee1fba425a2876a004266b5 (patch) | |
| tree | d567b1fe2a87156fff1e8fdf5ea5e348bb4ddae2 | |
| parent | 82aa16698668375881e9edcab46965e4be3f5b83 (diff) | |
| download | muck-poc-ccc9b9f17eb08977cee1fba425a2876a004266b5.tar.gz | |
Change: allow only owner to see, update, delete a resource
| -rwxr-xr-x | muck_poc | 14 | ||||
| -rw-r--r-- | yarns/100-happy.yarn | 13 |
2 files changed, 27 insertions, 0 deletions
@@ -104,6 +104,9 @@ class MuckAPI: except bottle.HTTPError as e: return e + if not self._access_is_allowed(meta, claims): + return bottle.HTTPError(status=404) + rev = self._get_resource_revision() if meta['rev'] != rev: return bottle.HTTPError(status=400, body='Wrong revision') @@ -120,6 +123,10 @@ class MuckAPI: meta, res = self._get_existing(rid) except bottle.HTTPError as e: return e + + if not self._access_is_allowed(meta, claims): + return bottle.HTTPError(status=404) + return self._create_response(200, 'show', meta, res) def _delete_res(self, claims): @@ -128,6 +135,10 @@ class MuckAPI: meta, res = self._get_existing(rid) except bottle.HTTPError as e: return e + + if not self._access_is_allowed(meta, claims): + return bottle.HTTPError(status=404) + delete = muck.DeleteChange(meta, res) self._store.change(delete) return self._create_response(200, 'delete', meta, res) @@ -167,6 +178,9 @@ class MuckAPI: return ms[rid] + def _access_is_allowed(self, meta, claims): + return claims['sub'] == meta['owner'] + def _create_response(self, status, operation, meta, res): headers = self._meta_headers(meta) return bottle.HTTPResponse( diff --git a/yarns/100-happy.yarn b/yarns/100-happy.yarn index 5a5ba32..88b29a5 100644 --- a/yarns/100-happy.yarn +++ b/yarns/100-happy.yarn @@ -36,6 +36,19 @@ Retrieve the resource. THEN response has header "Muck-Revision: ${REV1}" THEN response has header "Muck-Owner: tomjon" +Make sure another user can't retreive, update, or delete the resource. + + WHEN user verence makes request GET /res with header "Muck-Id: ${ID}" + THEN status code is 404 + + WHEN user verence makes request PUT /res with header "Muck-Id: ${ID}" and + ... header "Muck-Revision: ${REV1}" and + ... body { "foo": "foobar" } + THEN status code is 404 + + WHEN user verence makes request DELETE /res with header "Muck-Id: ${ID}" + THEN status code is 404 + Update the resource. WHEN user tomjon makes request PUT /res with header "Muck-Id: ${ID}" and |