Closed toconnell closed 2 years ago
Looks like moving the requester perms check 'up' into the base class (i.e. out of the survivor class) failed to account for the 'public' flag.
Fix for now is a carve-out on the base class method that's going to be ignore on non-survivor objects:
toconnell@mona:~/kdm-manager-api$ git diff app/models/__init__.py
diff --git a/app/models/__init__.py b/app/models/__init__.py
index 42c2592..470bdb6 100644
--- a/app/models/__init__.py
+++ b/app/models/__init__.py
@@ -1335,6 +1335,10 @@ class UserAsset(object):
if requester['_id'] == getattr(self, 'created_by', None):
return 'write'
+ # carve-out for 'public' survivors
+ if hasattr(self, 'survivor') and self.survivor.get('public', False):
+ return 'write'
+
# if we're still here, check players
for player in self.get_players():
if player['_id'] == requester['_id']:
From email:
Unclear if it's settlement-level sharing permissions or survivor-level that's blocking this. Attempting to recreate it in dev.