jobs: Use a simpler permission check for control connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/web/jobs.py b/src/web/jobs.py
index e4d6d3aca7c9c5a60bb40d3929bb184d997b1fb3..19eecf2159986d71f90d99dceab8472f7c0626b6 100644 (file)
--- a/src/web/jobs.py
+++ b/src/web/jobs.py
@@ -25,10 +25,10 @@ class APIv1ControlHandler(base.APIMixin, tornado.websocket.WebSocketHandler):
                if not self.job:
                        raise tornado.web.HTTPError(404, "Could not find job %s" % job_id)
 
-               # Check if the builder matches
-               if not self.current_user == self.job.builder:
-                       raise tornado.web.HTTPError(403, "Job %s belongs to %s, not %s" % \
-                               (self.job, self.job.builder, self.current_user))
+               # Check permissions
+               if not self.job.has_perm(self.current_user):
+                       raise tornado.web.HTTPError(403, "%s cannot control job %s" \
+                               % (self.current_user, self.job))
 
                # Consider the job connected
                self.job.connected(self)