diff options
author | René 'Necoro' Neumann <necoro@necoro.net> | 2013-10-16 01:31:03 +0200 |
---|---|---|
committer | René 'Necoro' Neumann <necoro@necoro.net> | 2013-10-16 01:31:03 +0200 |
commit | 3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9 (patch) | |
tree | 19834310851470302a47dbe3a7b69f170fb97797 /app/utils.py | |
parent | d64e80b53fa82af41c6e49b9de08632348c3527a (diff) | |
download | kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.tar.gz kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.tar.bz2 kosten-3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9.zip |
Check user's authorisation when loading entries by ID.
Diffstat (limited to 'app/utils.py')
-rw-r--r-- | app/utils.py | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/app/utils.py b/app/utils.py index 3a08535..e6a7c95 100644 --- a/app/utils.py +++ b/app/utils.py @@ -1,7 +1,9 @@ from functools import wraps -from flask import request, render_template, url_for +from flask import flash, request, render_template, url_for from flask import redirect as _redirect +from .login import current_user + def _gen_tpl(endpoint): return endpoint.replace('.', '/') + '.jinja' @@ -33,3 +35,29 @@ def redirect (target, **kwargs): return _redirect(url) else: return _redirect(url, code) + +def assert_authorisation(constructor, param): + def decorator(f): + @wraps(f) + def decorated_function(*args, **kwargs): + p = kwargs.get(param, None) + + if p is None: + raise TypeError("Keyword %s expected but not received." % param) + + obj = constructor(p) + if obj is None: + flash(u"Eintrag existiert nicht!", u'error') + return redirect('index') + + if not hasattr(obj, 'user_id'): + return f(*args, **kwargs) + + # explicitly use user_id to avoid having to load the user object + if obj.user_id != current_user.id: + flash(u"Nicht erlaubte Operation!", u'error') + return redirect('index') + else: + return f(*args, **kwargs) + return decorated_function + return decorator |