From ccc9b9f17eb08977cee1fba425a2876a004266b5 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Mon, 5 Nov 2018 10:50:17 +0200
Subject: Change: allow only owner to see, update, delete a resource

---
 muck_poc             | 14 ++++++++++++++
 yarns/100-happy.yarn | 13 +++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/muck_poc b/muck_poc
index 3da1b4a..9c5239d 100755
--- a/muck_poc
+++ b/muck_poc
@@ -104,6 +104,9 @@ class MuckAPI:
         except bottle.HTTPError as e:
             return e
 
+        if not self._access_is_allowed(meta, claims):
+            return bottle.HTTPError(status=404)
+
         rev = self._get_resource_revision()
         if meta['rev'] != rev:
             return bottle.HTTPError(status=400, body='Wrong revision')
@@ -120,6 +123,10 @@ class MuckAPI:
             meta, res = self._get_existing(rid)
         except bottle.HTTPError as e:
             return e
+
+        if not self._access_is_allowed(meta, claims):
+            return bottle.HTTPError(status=404)
+
         return self._create_response(200, 'show', meta, res)
 
     def _delete_res(self, claims):
@@ -128,6 +135,10 @@ class MuckAPI:
             meta, res = self._get_existing(rid)
         except bottle.HTTPError as e:
             return e
+
+        if not self._access_is_allowed(meta, claims):
+            return bottle.HTTPError(status=404)
+
         delete = muck.DeleteChange(meta, res)
         self._store.change(delete)
         return self._create_response(200, 'delete', meta, res)
@@ -167,6 +178,9 @@ class MuckAPI:
 
         return ms[rid]
 
+    def _access_is_allowed(self, meta, claims):
+        return claims['sub'] == meta['owner']
+
     def _create_response(self, status, operation, meta, res):
         headers = self._meta_headers(meta)
         return bottle.HTTPResponse(
diff --git a/yarns/100-happy.yarn b/yarns/100-happy.yarn
index 5a5ba32..88b29a5 100644
--- a/yarns/100-happy.yarn
+++ b/yarns/100-happy.yarn
@@ -36,6 +36,19 @@ Retrieve the resource.
     THEN response has header "Muck-Revision: ${REV1}"
     THEN response has header "Muck-Owner: tomjon"
 
+Make sure another user can't retreive, update, or delete the resource.
+
+    WHEN user verence makes request GET /res with header "Muck-Id: ${ID}"
+    THEN status code is 404
+
+    WHEN user verence makes request PUT /res with header "Muck-Id: ${ID}" and
+    ... header "Muck-Revision: ${REV1}" and
+    ... body { "foo": "foobar" }
+    THEN status code is 404
+
+    WHEN user verence makes request DELETE /res with header "Muck-Id: ${ID}"
+    THEN status code is 404
+
 Update the resource.
 
     WHEN user tomjon makes request PUT /res with header "Muck-Id: ${ID}" and
-- 
cgit v1.2.1