otfrom
commented
8 years ago I think allowed?* in k.h.a.programmes is using filter-programmes in the wrong way. (programme/get-by-id ...) should be in the match part and there should be a check for whether the public_access bit is true. All off the match lines in
(match [(has-admin? role)
(has-programme-manager? programme_id allowed-programmes)
(has-user? programme_id allowed-programmes nil nil)
request-method]
[true _ _ _] [true {::item (assoc (programmes/get-by-id session programme_id) :editable true :admin true)}]
[_ true _ _] [true {::item (first (filter-programmes allowed-programmes allowed-projects programme-ids-for-projects
[(programmes/get-by-id session programme_id)]))}]
[_ _ true :get] [true {::item (first (filter-programmes allowed-programmes allowed-projects programme-ids-for-projects
[(programmes/get-by-id session programme_id)]))}]
:else false)should look like
[true {::item (assoc programme-from-let :editable <as appropriate> :admin <as appropriate>)}]
I did a GET request on a programme "https://www.getembed.com/4/programmes/*programme-id* " the response is
ExceptionInfo clj-http: status 403 clj-http.client/wrap-exceptions/fn--9468 (client.clj:196).-> When querying "https://www.getembed.com/4/programmes/" this programme is returned (amongst lots of other programmes). -> When looking at the logs on the server I see only 3 programmes I'm allowed to access as programme manager. -> The programme tested had :public_access "true"