search

ergo / ziggurat_foundations

Framework agnostic set of sqlalchemy classes that make building applications that require permissions an easy task.
BSD 3-Clause "New" or "Revised" License
71 stars 22 forks source link

Incorrect PermissionTuple for direct_perms_for_user in the case when user own the Resource #69

Closed matiuszka closed 3 years ago

matiuszka commented 3 years ago

Hi,

When requesting user is the owner of the resource, an incorrect tuple is about to be created.

Trival steps to reproduce the error. If it will not enough I will add some more code.

user = User(...)
resource = Resource(...)
resource.owner = user
ResourceService.direct_perms_for_user(resource, user)

Causes:

        if instance.owner_user_id == user.id:
            perms.append(
>               PermissionTuple(user, ALL_PERMISSIONS, "user", None, instance, True)
            )
E           TypeError: __new__() missing 1 required positional argument: 'allowed'

I've checked tests and there is no case when this situation is tested. Fix will be really simple because it looks like this particular condition was overlooked in some kind of refactoring:

# include all perms if user is the owner of this resource
if instance.owner_user_id == user.id:
    perms.append(
        PermissionTuple(user, ALL_PERMISSIONS, "user", None, instance, True, True) #  Missing positional argument
    )

Affected version:

ziggurat-foundations    0.8.3
ergo commented 3 years ago

This is now fixed. Sorry for taking so long.