Fix issue with user permission on package deletion

Forbid deletion of non-owned packages for non-admin users Closes-Bug: #1312190 Change-Id: I06d79cc7530b64c9c84dbf09e332dffc48843ab8
2014-04-29 11:19:48 +04:00 · 2014-04-29 11:19:48 +04:00 · 5b9ef90b68
commit 5b9ef90b68
parent aa6aa6f511
2 changed files with 4 additions and 3 deletions
--- a/muranoapi/api/v1/catalog.py
+++ b/muranoapi/api/v1/catalog.py
@ -210,7 +210,7 @@ class Controller(object):
        return package.archive

    def delete(self, req, package_id):
-        db_api.package_delete(package_id)
+        db_api.package_delete(package_id, req.context)

    def show_categories(self, req):
        categories = db_api.categories_list()
--- a/muranoapi/db/catalog/api.py
+++ b/muranoapi/db/catalog/api.py
@ -363,15 +363,16 @@ def package_upload(values, tenant_id):
    return package


-def package_delete(package_id):
+def package_delete(package_id, context):
    """
    Delete package information from the system ID of a package, string
    parameters to update
    """
    session = db_session.get_session()
+
    with session.begin():
        package = session.query(models.Package).get(package_id)
-
+        _authorize_package(package, context)
        session.delete(package)