From 5b9ef90b686fec37ba0efc99e6e8cd1ccdbaad48 Mon Sep 17 00:00:00 2001 From: Ekaterina Fedorova Date: Tue, 29 Apr 2014 11:19:48 +0400 Subject: [PATCH] Fix issue with user permission on package deletion Forbid deletion of non-owned packages for non-admin users Closes-Bug: #1312190 Change-Id: I06d79cc7530b64c9c84dbf09e332dffc48843ab8 --- muranoapi/api/v1/catalog.py | 2 +- muranoapi/db/catalog/api.py | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/muranoapi/api/v1/catalog.py b/muranoapi/api/v1/catalog.py index 2bb2ca89..27249bba 100644 --- a/muranoapi/api/v1/catalog.py +++ b/muranoapi/api/v1/catalog.py @@ -210,7 +210,7 @@ class Controller(object): return package.archive def delete(self, req, package_id): - db_api.package_delete(package_id) + db_api.package_delete(package_id, req.context) def show_categories(self, req): categories = db_api.categories_list() diff --git a/muranoapi/db/catalog/api.py b/muranoapi/db/catalog/api.py index 9a122ec9..31d221d6 100644 --- a/muranoapi/db/catalog/api.py +++ b/muranoapi/db/catalog/api.py @@ -363,15 +363,16 @@ def package_upload(values, tenant_id): return package -def package_delete(package_id): +def package_delete(package_id, context): """ Delete package information from the system ID of a package, string parameters to update """ session = db_session.get_session() + with session.begin(): package = session.query(models.Package).get(package_id) - + _authorize_package(package, context) session.delete(package)