theLaborInVain / kdm-manager-api

The API used by https://kdm-manager.com and related Kingdom Death: Monster utilities.
Other
3 stars 0 forks source link

Survivors: permission issue #60

Closed toconnell closed 2 years ago

toconnell commented 2 years ago

From email:

Another player is unable to make changes to survivors marked as 'allow all players to manage'.

Unclear if it's settlement-level sharing permissions or survivor-level that's blocking this. Attempting to recreate it in dev.

toconnell commented 2 years ago

Looks like moving the requester perms check 'up' into the base class (i.e. out of the survivor class) failed to account for the 'public' flag.

Fix for now is a carve-out on the base class method that's going to be ignore on non-survivor objects:

toconnell@mona:~/kdm-manager-api$ git diff app/models/__init__.py
diff --git a/app/models/__init__.py b/app/models/__init__.py
index 42c2592..470bdb6 100644
--- a/app/models/__init__.py
+++ b/app/models/__init__.py
@@ -1335,6 +1335,10 @@ class UserAsset(object):
         if requester['_id'] == getattr(self, 'created_by', None):
             return 'write'

+        # carve-out for 'public' survivors
+        if hasattr(self, 'survivor') and self.survivor.get('public', False):
+            return 'write'
+
         # if we're still here, check players
         for player in self.get_players():
             if player['_id'] == requester['_id']: