search

The-WebOps-Club / fest-api

An API implementation for Saarang Shaastra like fests, including ERP and Mainsite and Mobile interface
12 stars 11 forks source link

Access rights #83

Closed AbdealiLoKo closed 10 years ago

AbdealiLoKo commented 10 years ago

Most people do not have access rights to their own subdepts and all

Lots of complications

AbdealiLoKo commented 10 years ago

Solved.

AbdealiLoKo commented 10 years ago

This was a major cup in the query for has_access and get_my_posts functions.

shahidhk commented 10 years ago

has_access return the count of walls user has access to. But this doesn't prevent the user from accessing walls that he isn't supposed to see. Lets say, one coord goes to /wall/76. Its Core Wall and he is not supposed to see that. The only check? wall_accessible, which is set False only if wall.has_access returns zero. But, has_access which in turn invokes check_access_rights takes no account of the corresponding wall object. It just returns the number of walls user has access to. Need to fix this

Phoenix25 commented 10 years ago

is it because of the Q( id = thing.id ) ? i noticed that.. it applies only to the one on the top i think. can someone replicate that one token again in the isinstance( thing, Wall ) statement.

On Sun, Jun 1, 2014 at 3:07 PM, Shahidh K Muhammed <notifications@github.com

wrote:

has_access return the count of walls user has access to. But this doesn't prevent the user from accessing walls that he isn't supposed to see. Lets say, one coord goes to /wall/76. Its Core Wall and he is not supposed to see that. The only check? wall_accessible, which is set False only if wall.has_access returns zero. But, has_access which in turn invokes check_access_rights takes no account of the corresponding wall object. It just returns the number of walls user has access to. Need to fix this

— Reply to this email directly or view it on GitHub https://github.com/The-WebOps-Club/fest-api/issues/83#issuecomment-44772890 .

AbdealiLoKo commented 10 years ago

Thing.id check is for both no ? On Jun 1, 2014 3:57 PM, "Sai Praveen B" notifications@github.com wrote:

is it because of the Q( id = thing.id ) ? i noticed that.. it applies only to the one on the top i think. can someone replicate that one token again in the isinstance( thing, Wall ) statement.

On Sun, Jun 1, 2014 at 3:07 PM, Shahidh K Muhammed < notifications@github.com

wrote:

has_access return the count of walls user has access to. But this doesn't prevent the user from accessing walls that he isn't supposed to see. Lets say, one coord goes to /wall/76. Its Core Wall and he is not supposed to see that. The only check? wall_accessible, which is set False only if wall.has_access returns zero. But, has_access which in turn invokes check_access_rights takes no account of the corresponding wall object. It just returns the number of walls user has access to. Need to fix this

Reply to this email directly or view it on GitHub < https://github.com/The-WebOps-Club/fest-api/issues/83#issuecomment-44772890>

.

Reply to this email directly or view it on GitHub https://github.com/The-WebOps-Club/fest-api/issues/83#issuecomment-44774271 .

AbdealiLoKo commented 10 years ago

Oh this thing, I thought u had fixed it.

Done

shahidhk commented 10 years ago

Logical issue. condition = id & ( a | b | c | d ) and then condition = condition | x | y | z So, id will be overcomed

AbdealiLoKo commented 10 years ago

Yes, it's just two lines of code changed na .. We had noticed this, I thought Sai Praveen had changed it.

On Sun, Jun 1, 2014 at 4:20 PM, Shahidh K Muhammed <notifications@github.com

wrote:

closed? is it fixed?

Reply to this email directly or view it on GitHub https://github.com/The-WebOps-Club/fest-api/issues/83#issuecomment-44774663 .