From 3d2ba33917b5b72a5eaf57a3843ee9c8033d15c9 Mon Sep 17 00:00:00 2001
From: René 'Necoro' Neumann <necoro@necoro.net>
Date: Wed, 16 Oct 2013 01:31:03 +0200
Subject: Check user's authorisation when loading entries by ID.

---
 app/utils.py | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

(limited to 'app/utils.py')

diff --git a/app/utils.py b/app/utils.py
index 3a08535..e6a7c95 100644
--- a/app/utils.py
+++ b/app/utils.py
@@ -1,7 +1,9 @@
 from functools import wraps
-from flask import request, render_template, url_for
+from flask import flash, request, render_template, url_for
 from flask import redirect as _redirect
 
+from .login import current_user
+
 def _gen_tpl(endpoint):
     return endpoint.replace('.', '/') + '.jinja'
 
@@ -33,3 +35,29 @@ def redirect (target, **kwargs):
         return _redirect(url)
     else:
         return _redirect(url, code)
+
+def assert_authorisation(constructor, param):
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            p = kwargs.get(param, None)
+
+            if p is None:
+                raise TypeError("Keyword %s expected but not received." % param)
+
+            obj = constructor(p)
+            if obj is None:
+                flash(u"Eintrag existiert nicht!", u'error')
+                return redirect('index')
+
+            if not hasattr(obj, 'user_id'):
+                return f(*args, **kwargs)
+
+            # explicitly use user_id to avoid having to load the user object
+            if obj.user_id != current_user.id:
+                flash(u"Nicht erlaubte Operation!", u'error')
+                return redirect('index')
+            else:
+                return f(*args, **kwargs)
+        return decorated_function
+    return decorator
-- 
cgit v1.2.3-54-g00ecf