Protect dashboards from unauthorized access

master
esensar 2018-09-20 15:19:41 +02:00
parent 6f3826f006
commit eea90a606f
1 changed files with 10 additions and 1 deletions

View File

@ -1,4 +1,5 @@
from flask import g from flask import g
from flask_restful import abort
from marshmallow import Schema, fields from marshmallow import Schema, fields
from webargs.flaskparser import use_args from webargs.flaskparser import use_args
from flasgger import swag_from from flasgger import swag_from
@ -23,12 +24,20 @@ class DashboardsSchema(Schema):
class DashboardResource(ProtectedResource): class DashboardResource(ProtectedResource):
@swag_from('swagger/get_dashboard_spec.yaml') @swag_from('swagger/get_dashboard_spec.yaml')
def get(self, dashboard_id): def get(self, dashboard_id):
requested_dashboard = dashboard.get_dashboard(dashboard_id)
if requested_dashboard.account_id != g.current_account.id:
abort(403, message='You are not allowed to access this dashboard',
status='error')
return DashboardWrapperSchema().dump( return DashboardWrapperSchema().dump(
{'dashboard': dashboard.get_dashboard(dashboard_id)}), 200 {'dashboard': requested_dashboard}), 200
@use_args(DashboardWrapperSchema()) @use_args(DashboardWrapperSchema())
@swag_from('swagger/update_dashboard_spec.yaml') @swag_from('swagger/update_dashboard_spec.yaml')
def put(self, dashboard_id, args): def put(self, dashboard_id, args):
requested_dashboard = dashboard.get_dashboard(dashboard_id)
if requested_dashboard.account_id != g.current_account.id:
abort(403, message='You are not allowed to access this dashboard',
status='error')
args = args['dashboard'] args = args['dashboard']
success = dashboard.update_dashboard( success = dashboard.update_dashboard(
dashboard_id, dashboard_id,