From b909e30cfa453dd17fb52ba74accfe69cf6c8150 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathben963@gmail.com>
Date: Sun, 18 Mar 2018 22:19:18 -0400
Subject: [PATCH] [#83] server cmd character: fix permission when get user -
 check if get user is the same user - check admin persmission from generic
 command

---
 src/web/base_handler.py |  6 ++++++
 src/web/handlers.py     | 25 ++++++++++++++++++++-----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/src/web/base_handler.py b/src/web/base_handler.py
index 48ac1a35..26c1f33b 100644
--- a/src/web/base_handler.py
+++ b/src/web/base_handler.py
@@ -45,6 +45,12 @@ def get_current_user(self):
         else:
             print("Error type on cookie %s %s" % (data, self.request.remote_ip), file=sys.stderr)
 
+    def is_permission_admin(self):
+        return self.current_user and self.current_user.get("permission") == "Admin"
+
+    def is_user_id(self, user_id):
+        return self.current_user and self.current_user.get("user_id") == user_id
+
     def give_cookie(self, user_id, twitter_access_token=None, facebook_access_token=None, google_access_token=None):
         if user_id:
             data = {
diff --git a/src/web/handlers.py b/src/web/handlers.py
index 8c4581b3..53d05581 100644
--- a/src/web/handlers.py
+++ b/src/web/handlers.py
@@ -350,7 +350,7 @@ def get(self):
             self.set_status(404)
             self.send_error(404)
             raise tornado.web.Finish()
-        if self.current_user.get("permission") == "Admin":
+        if self.is_permission_admin():
             self.render('admin/news.html', **self._global_arg)
         else:
             print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
@@ -369,7 +369,7 @@ def get(self):
             self.set_status(404)
             self.send_error(404)
             raise tornado.web.Finish()
-        if self.current_user.get("permission") == "Admin":
+        if self.is_permission_admin():
             self.render('admin/character.html', **self._global_arg)
         else:
             print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
@@ -416,6 +416,7 @@ def get(self):
             self.send_error(404)
             raise tornado.web.Finish()
 
+        # validate argument
         user_id = self.request.query[len("user_id="):]
         is_admin = self.request.query == "is_admin"
         if user_id == "" and not is_admin:
@@ -424,11 +425,25 @@ def get(self):
             self.send_error(403)
             raise tornado.web.Finish()
 
-        # TODO manage what we get and user management permission
+        # validate permission and send result
         if is_admin:
-            data = json.dumps(self._db.get_all_user())
+            if self.is_permission_admin():
+                data = json.dumps(self._db.get_all_user())
+            else:
+                print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
+                # Forbidden
+                self.set_status(403)
+                self.send_error(403)
+                raise tornado.web.Finish()
         else:
-            data = json.dumps(self._db.get_all_user(user_id=user_id))
+            if self.is_permission_admin() or self.is_user_id(user_id):
+                data = json.dumps(self._db.get_all_user(user_id=user_id))
+            else:
+                print("Insufficient permissions from %s" % self.request.remote_ip, file=sys.stderr)
+                # Forbidden
+                self.set_status(403)
+                self.send_error(403)
+                raise tornado.web.Finish()
 
         self.write(data)
         self.finish()