Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
user = lazy_property(get_user, set_user)
+ def has_perm(self, who):
+ """
+ Returns True if "who" has permissions to use this upload
+ """
+ if self.builder == who or self.user == who:
+ return True
+
+ # No permission
+ return False
+
async def delete(self):
log.info("Deleting upload %s (%s)" % (self, self.path))
if not upload:
raise tornado.web.HTTPError(404, "Could not find upload")
- # XXX check permissions of the upload
+ # Check permissions of the upload
+ if not upload.has_perm(self.current_user):
+ raise tornado.web.HTTPError(403, "No permission for using upload %s" % upload)
with self.db.transaction():
# Try opening the archive
projects / pbs.git / commitdiff
