[AdminTL#83] server cmd character: fix permission when get user

- check if get user is the same user
- check admin persmission from generic command

src/web/base_handler.py

@@ -45,6 +45,12 @@ def get_current_user(self):
         else:
             print("Error type on cookie %s %s" % (data, self.request.remote_ip), file=sys.stderr)
 
+    def is_permission_admin(self):
+        return self.current_user and self.current_user.get("permission") == "Admin"
+
+    def is_user_id(self, user_id):
+        return self.current_user and self.current_user.get("user_id") == user_id
+
     def give_cookie(self, user_id, twitter_access_token=None, facebook_access_token=None, google_access_token=None):
         if user_id:
             data = {

src/web/handlers.py

@@ -350,7 +350,7 @@ def get(self):
             self.set_status(404)
             self.send_error(404)
             raise tornado.web.Finish()
-        if self.current_user.get("permission") == "Admin":
+        if self.is_permission_admin():
             self.render('admin/news.html', **self._global_arg)
         else:
             print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
@@ -369,7 +369,7 @@ def get(self):
             self.set_status(404)
             self.send_error(404)
             raise tornado.web.Finish()
-        if self.current_user.get("permission") == "Admin":
+        if self.is_permission_admin():
             self.render('admin/character.html', **self._global_arg)
         else:
             print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
@@ -416,6 +416,7 @@ def get(self):
             self.send_error(404)
             raise tornado.web.Finish()
 
+        # validate argument
         user_id = self.request.query[len("user_id="):]
         is_admin = self.request.query == "is_admin"
         if user_id == "" and not is_admin:
@@ -424,11 +425,25 @@ def get(self):
             self.send_error(403)
             raise tornado.web.Finish()
 
-        # TODO manage what we get and user management permission
+        # validate permission and send result
         if is_admin:
-            data = json.dumps(self._db.get_all_user())
+            if self.is_permission_admin():
+                data = json.dumps(self._db.get_all_user())
+            else:
+                print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
+                # Forbidden
+                self.set_status(403)
+                self.send_error(403)
+                raise tornado.web.Finish()
         else:
-            data = json.dumps(self._db.get_all_user(user_id=user_id))
+            if self.is_permission_admin() or self.is_user_id(user_id):
+                data = json.dumps(self._db.get_all_user(user_id=user_id))
+            else:
+                print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
+                # Forbidden
+                self.set_status(403)
+                self.send_error(403)
+                raise tornado.web.Finish()
 
         self.write(data)
         self.finish()