From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 6 Oct 2022 10:06:55 +0000 (+0000)
Subject: users: Make the permissions model more similar to the other objects
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc373c9c21f2d6c4577ef65e426c4e811d8dd65b;p=pbs.git

users: Make the permissions model more similar to the other objects

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/buildservice/users.py b/src/buildservice/users.py
index 61f48d6f..d56dbfc9 100644
--- a/src/buildservice/users.py
+++ b/src/buildservice/users.py
@@ -334,16 +334,25 @@ class User(base.DataObject):
 	def perms(self):
 		return self.db.get("SELECT * FROM users_permissions WHERE user_id = %s", self.id)
 
-	def has_perm(self, perm):
+	def has_perm(self, user):
 		"""
-			Returns True if the user has the requested permission.
+			Check, if the given user has the right to perform administrative
+			operations on this user.
 		"""
-		# Admins have the permission for everything.
-		if self.is_admin():
+		# Anonymous people have no permission
+		if user is None:
+			return False
+
+		# Admins always have permission
+		if user.is_admin():
+			return True
+
+		# Users can edit themselves
+		if user == self:
 			return True
 
-		# All others must be checked individually.
-		return self.perms.get(perm, False) == True
+		# No permission
+		return False
 
 	@property
 	def sessions(self):
diff --git a/src/templates/users/show.html b/src/templates/users/show.html
index d1b0744c..8f829959 100644
--- a/src/templates/users/show.html
+++ b/src/templates/users/show.html
@@ -45,9 +45,11 @@
 		{% end %}
 	{% end %}
 
-	<a class="success expanded button" href="/users/{{ user.name }}/repos/create">
-		{{ _("Create Repository") }}
-	</a>
+	{% if user.has_perm(current_user) %}
+		<a class="success expanded button" href="/users/{{ user.name }}/repos/create">
+			{{ _("Create Repository") }}
+		</a>
+	{% end %}
 
 	<div class="callout">
 		<div class="grid-x grid-padding-x">
diff --git a/src/web/users.py b/src/web/users.py
index b26a4932..4c770bac 100644
--- a/src/web/users.py
+++ b/src/web/users.py
@@ -27,7 +27,9 @@ class DeleteHandler(base.BaseHandler):
 		if not user:
 			raise tornado.web.HTTPError(404, "Could not find user %s" % name)
 
-		# XXX Check for permissions
+		# Check for permission
+		if not user.has_perm(self.current_user):
+			raise tornado.web.HTTPError(403)
 
 		self.render("users/delete.html", user=user)
 
@@ -37,7 +39,9 @@ class DeleteHandler(base.BaseHandler):
 		if not user:
 			raise tornado.web.HTTPError(404, "Could not find user %s" % name)
 
-		# XXX Check for permissions
+		# Check for permission
+		if not user.has_perm(self.current_user):
+			raise tornado.web.HTTPError(403)
 
 		with self.db.transaction():
 			user.delete()
@@ -52,7 +56,9 @@ class EditHandler(base.BaseHandler):
 		if not user:
 			raise tornado.web.HTTPError(404, "Could not find user %s" % name)
 
-		# XXX Check for permissions
+		# Check for permission
+		if not user.has_perm(self.current_user):
+			raise tornado.web.HTTPError(403)
 
 		self.render("users/edit.html", user=user)
 
@@ -62,7 +68,9 @@ class EditHandler(base.BaseHandler):
 		if not user:
 			raise tornado.web.HTTPError(404, "Could not find user %s" % name)
 
-		# XXX Check for permissions
+		# Check for permission
+		if not user.has_perm(self.current_user):
+			raise tornado.web.HTTPError(403)
 
 		with self.db.transaction():
 			pass