##// END OF EJS Templates
auth: don't expose full set of permissions into channelstream payload....
ergo -
r2194:90609677 stable
parent child Browse files
Show More
@@ -71,6 +71,7 b' class ChannelstreamView(object):'
71 71 except Exception:
72 72 log.exception('Failed to decode json from request')
73 73 raise HTTPBadRequest()
74
74 75 try:
75 76 channels = check_channel_permissions(
76 77 json_body.get('channels'),
@@ -92,7 +93,7 b' class ChannelstreamView(object):'
92 93 'display_name': None,
93 94 'display_link': None,
94 95 }
95 user_data['permissions'] = self._rhodecode_user.permissions
96 user_data['permissions'] = self._rhodecode_user.permissions_safe
96 97 payload = {
97 98 'username': user.username,
98 99 'user_state': user_data,
@@ -824,6 +824,24 b' class AuthUser(object):'
824 824 def permissions(self):
825 825 return self.get_perms(user=self, cache=False)
826 826
827 @LazyProperty
828 def permissions_safe(self):
829 """
830 Filtered permissions excluding not allowed repositories
831 """
832 perms = self.get_perms(user=self, cache=False)
833
834 perms['repositories'] = {
835 k: v for k, v in perms['repositories'].iteritems()
836 if v != 'repository.none'}
837 perms['repositories_groups'] = {
838 k: v for k, v in perms['repositories_groups'].iteritems()
839 if v != 'group.none'}
840 perms['user_groups'] = {
841 k: v for k, v in perms['user_groups'].iteritems()
842 if v != 'usergroup.none'}
843 return perms
844
827 845 def permissions_with_scope(self, scope):
828 846 """
829 847 Call the get_perms function with scoped data. The scope in that function
General Comments 0
You need to be logged in to leave comments. Login now