From f2a77f9ea6f717c2a5489c88c6cb2da8548480fd Mon Sep 17 00:00:00 2001 From: afonso pinto Date: Wed, 6 Nov 2024 11:45:20 +0000 Subject: [PATCH 1/2] SCKAN-341 fix: Update isOwner permission to check for related entity ownership only on creation --- backend/composer/api/permissions.py | 23 ++--------------------- backend/composer/api/views.py | 1 - 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/backend/composer/api/permissions.py b/backend/composer/api/permissions.py index e0a06841..b74891a1 100644 --- a/backend/composer/api/permissions.py +++ b/backend/composer/api/permissions.py @@ -25,8 +25,8 @@ def has_permission(self, request, view): if request.method in permissions.SAFE_METHODS: return True - # Checks if creator is the owner of the related entity (if related entity exists) - if request.method == 'POST': + # If creating a new instance, ensure related entity ownership + if request.method == 'POST' and view.action == 'create': return check_related_entity_ownership(request) # For unsafe methods (PATCH, PUT, DELETE), allow only authenticated users @@ -59,25 +59,6 @@ def has_object_permission(self, request, view, obj): return obj.connectivity_statement.owner == request.user -class IsSentenceOrStatementOwnerOrSystemUserOrReadOnly(permissions.BasePermission): - """ - Custom permission to allow: - - System user to bypass all checks. - - Only the owner of a sentence or connectivity statement can create a note. - """ - - def has_permission(self, request, view): - # Allow system user to bypass all checks - if request.user.username == 'system' and request.user.is_staff: - return True - - # Allow read-only access (GET, HEAD, OPTIONS) - if request.method in permissions.SAFE_METHODS: - return True - - # For POST (create), PUT, PATCH (update), or DELETE, check ownership - return check_related_entity_ownership(request) - def check_related_entity_ownership(request): """ diff --git a/backend/composer/api/views.py b/backend/composer/api/views.py index f48c8951..8582f56b 100644 --- a/backend/composer/api/views.py +++ b/backend/composer/api/views.py @@ -45,7 +45,6 @@ BaseConnectivityStatementSerializer, ) from .permissions import ( - IsSentenceOrStatementOwnerOrSystemUserOrReadOnly, IsStaffUserIfExportedStateInConnectivityStatement, IsOwnerOrAssignOwnerOrCreateOrReadOnly, IsOwnerOfConnectivityStatementOrReadOnly, From 6f561918894a2edb405deb8208bbd363b1aed53d Mon Sep 17 00:00:00 2001 From: afonso pinto Date: Wed, 6 Nov 2024 13:40:19 +0000 Subject: [PATCH 2/2] SCKAN-323 fix: Add missing Notes permission --- backend/composer/api/views.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/backend/composer/api/views.py b/backend/composer/api/views.py index 8582f56b..c6406eb2 100644 --- a/backend/composer/api/views.py +++ b/backend/composer/api/views.py @@ -320,7 +320,9 @@ class NoteViewSet(viewsets.ModelViewSet): queryset = Note.objects.all() serializer_class = NoteSerializer - permission_classes = [] + permission_classes = [ + permissions.IsAuthenticatedOrReadOnly, + ] filterset_class = NoteFilter