Log fixes (#534)

* tying up some loose ends with event logging * Ensuring creators can access
2016-11-28 14:13:16 -08:00
parent e2143d3ee8
commit 727bc87ede
11 changed files with 70 additions and 65 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -68,19 +68,19 @@ class Certificate(db.Model):
    authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))
    root_authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))

-    notifications = relationship("Notification", secondary=certificate_notification_associations, backref='certificate')
-    destinations = relationship("Destination", secondary=certificate_destination_associations, backref='certificate')
-    sources = relationship("Source", secondary=certificate_source_associations, backref='certificate')
-    domains = relationship("Domain", secondary=certificate_associations, backref="certificate")
-    roles = relationship("Role", secondary=roles_certificates, backref="certificate")
-    replaces = relationship("Certificate",
+    notifications = relationship('Notification', secondary=certificate_notification_associations, backref='certificate')
+    destinations = relationship('Destination', secondary=certificate_destination_associations, backref='certificate')
+    sources = relationship('Source', secondary=certificate_source_associations, backref='certificate')
+    domains = relationship('Domain', secondary=certificate_associations, backref='certificate')
+    roles = relationship('Role', secondary=roles_certificates, backref='certificate')
+    replaces = relationship('Certificate',
                            secondary=certificate_replacement_associations,
                            primaryjoin=id == certificate_replacement_associations.c.certificate_id,  # noqa
                            secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id,  # noqa
                            backref='replaced')

-    logs = relationship("Log", backref="certificate")
-    endpoints = relationship("Endpoint", backref='certificate')
+    logs = relationship('Log', backref='certificate')
+    endpoints = relationship('Endpoint', backref='certificate')

    def __init__(self, **kwargs):
        cert = lemur.common.utils.parse_certificate(kwargs['body'])
--- a/lemur/certificates/views.py
+++ b/lemur/certificates/views.py
@ -438,9 +438,10 @@ class CertificatePrivateKey(AuthenticatedResource):
        if not cert:
            return dict(message="Cannot find specified certificate"), 404

-        if not g.current_user.is_admin:
+        # allow creators
+        if g.current_user != cert.user:
            owner_role = role_service.get_by_name(cert.owner)
-            permission = CertificatePermission(cert.id, owner_role, [x.name for x in cert.roles])
+            permission = CertificatePermission(owner_role, [x.name for x in cert.roles])

            if not permission.can():
                return dict(message='You are not authorized to view this key'), 403
@ -621,27 +622,32 @@ class Certificates(AuthenticatedResource):
        """
        cert = service.get(certificate_id)

-        owner_role = role_service.get_by_name(cert.owner)
-        permission = CertificatePermission(cert.id, owner_role, [x.name for x in cert.roles])
+        if not cert:
+            return dict(message="Cannot find specified certificate"), 404

-        if permission.can():
-            for destination in data['destinations']:
-                if destination.plugin.requires_key:
-                    if not cert.private_key:
-                        return dict('Unable to add destination: {0}. Certificate does not have required private key.'.format(destination.label))
+        # allow creators
+        if g.current_user != cert.user:
+            owner_role = role_service.get_by_name(cert.owner)
+            permission = CertificatePermission(owner_role, [x.name for x in cert.roles])

-            return service.update(
-                certificate_id,
-                data['owner'],
-                data['description'],
-                data['notify'],
-                data['destinations'],
-                data['notifications'],
-                data['replacements'],
-                data['roles']
-            )
+            if not permission.can():
+                return dict(message='You are not authorized to update this certificate'), 403

-        return dict(message='You are not authorized to update this certificate'), 403
+        for destination in data['destinations']:
+            if destination.plugin.requires_key:
+                if not cert.private_key:
+                    return dict('Unable to add destination: {0}. Certificate does not have required private key.'.format(destination.label))
+
+        return service.update(
+            certificate_id,
+            data['owner'],
+            data['description'],
+            data['notify'],
+            data['destinations'],
+            data['notifications'],
+            data['replacements'],
+            data['roles']
+        )


 class NotificationCertificatesList(AuthenticatedResource):
@ -923,9 +929,10 @@ class CertificateExport(AuthenticatedResource):
                        plugin.slug))

            else:
-                if not g.current_user.is_admin:
+                # allow creators
+                if g.current_user != cert.user:
                    owner_role = role_service.get_by_name(cert.owner)
-                    permission = CertificatePermission(cert.id, owner_role, [x.name for x in cert.roles])
+                    permission = CertificatePermission(owner_role, [x.name for x in cert.roles])

                    if not permission.can():
                        return dict(message='You are not authorized to export this certificate.'), 403