From 8d112c13609967a6d7a6d0123fb7d51d8631c448 Mon Sep 17 00:00:00 2001
From: yiorgos marinellis <yiorgos@deevio.ai>
Date: Wed, 13 May 2020 19:52:09 +0200
Subject: [PATCH] Abort snapshot action if current user is not owner of the
 (non-component) device

---
 ereuse_devicehub/resources/action/views.py    | 10 +++++++++-
 ereuse_devicehub/resources/user/exceptions.py | 11 ++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/ereuse_devicehub/resources/action/views.py b/ereuse_devicehub/resources/action/views.py
index 0c098352..5c2ea0f5 100644
--- a/ereuse_devicehub/resources/action/views.py
+++ b/ereuse_devicehub/resources/action/views.py
@@ -2,7 +2,7 @@ from distutils.version import StrictVersion
 from typing import List
 from uuid import UUID
 
-from flask import current_app as app, request
+from flask import current_app as app, request, g
 from sqlalchemy.util import OrderedSet
 from teal.marshmallow import ValidationError
 from teal.resource import View
@@ -13,6 +13,8 @@ from ereuse_devicehub.resources.action.models import Action, RateComputer, Snaps
 from ereuse_devicehub.resources.action.rate.v1_0 import CannotRate
 from ereuse_devicehub.resources.device.models import Component, Computer
 from ereuse_devicehub.resources.enums import SnapshotSoftware
+from ereuse_devicehub.resources.user.exceptions import InsufficientPermission
+
 
 SUPPORTED_WORKBENCH = StrictVersion('11.0')
 
@@ -56,6 +58,7 @@ class ActionView(View):
         # Note that if we set the device / components into the snapshot
         # model object, when we flush them to the db we will flush
         # snapshot, and we want to wait to flush snapshot at the end
+
         device = snapshot_json.pop('device')  # type: Computer
         components = None
         if snapshot_json['software'] == (SnapshotSoftware.Workbench or SnapshotSoftware.WorkbenchAndroid):
@@ -73,6 +76,11 @@ class ActionView(View):
         assert not device.actions_one
         assert all(not c.actions_one for c in components) if components else True
         db_device, remove_actions = resource_def.sync.run(device, components)
+
+        # Check ownership of (non-component) device to from current.user
+        if(db_device.owner_id != g.user.id):
+            raise InsufficientPermission()
+
         del device  # Do not use device anymore
         snapshot.device = db_device
         snapshot.actions |= remove_actions | actions_device  # Set actions to snapshot
diff --git a/ereuse_devicehub/resources/user/exceptions.py b/ereuse_devicehub/resources/user/exceptions.py
index 2c16e000..bc50cdc6 100644
--- a/ereuse_devicehub/resources/user/exceptions.py
+++ b/ereuse_devicehub/resources/user/exceptions.py
@@ -1,5 +1,14 @@
-from werkzeug.exceptions import Unauthorized
+from werkzeug.exceptions import Unauthorized, Forbidden
 
 
 class WrongCredentials(Unauthorized):
     description = 'There is not an user with the matching username/password'
+
+
+class InsufficientPermission(Forbidden):
+
+    description = (
+        "You don't have the permissions to access the requested"
+        "resource. It is either read-protected or not readable by the"
+        "server."
+    )