1 files changed, 14 insertions, 0 deletions

diff --git a/muck_poc b/muck_poc
index 3da1b4a..9c5239d 100755
--- a/muck_poc
+++ b/muck_poc
@@ -104,6 +104,9 @@ class MuckAPI:
         except bottle.HTTPError as e:
             return e
 
+        if not self._access_is_allowed(meta, claims):
+            return bottle.HTTPError(status=404)
+
         rev = self._get_resource_revision()
         if meta['rev'] != rev:
             return bottle.HTTPError(status=400, body='Wrong revision')
@@ -120,6 +123,10 @@ class MuckAPI:
             meta, res = self._get_existing(rid)
         except bottle.HTTPError as e:
             return e
+
+        if not self._access_is_allowed(meta, claims):
+            return bottle.HTTPError(status=404)
+
         return self._create_response(200, 'show', meta, res)
 
     def _delete_res(self, claims):
@@ -128,6 +135,10 @@ class MuckAPI:
             meta, res = self._get_existing(rid)
         except bottle.HTTPError as e:
             return e
+
+        if not self._access_is_allowed(meta, claims):
+            return bottle.HTTPError(status=404)
+
         delete = muck.DeleteChange(meta, res)
         self._store.change(delete)
         return self._create_response(200, 'delete', meta, res)
@@ -167,6 +178,9 @@ class MuckAPI:
 
         return ms[rid]
 
+    def _access_is_allowed(self, meta, claims):
+        return claims['sub'] == meta['owner']
+
     def _create_response(self, status, operation, meta, res):
         headers = self._meta_headers(meta)
         return bottle.HTTPResponse(