From 12152e7dab1745feb72e85d190adc5c3132fbd13 Mon Sep 17 00:00:00 2001
From: Jaden Diefenbaugh <blakcap@users.noreply.github.com>
Date: Thu, 20 Apr 2017 17:00:50 +0200
Subject: [PATCH] clarify permissions scheme for viewing reports & tighten up
 perms

---
 beat/web/reports/views.py | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/beat/web/reports/views.py b/beat/web/reports/views.py
index 6d17fb7fb..4e13475df 100644
--- a/beat/web/reports/views.py
+++ b/beat/web/reports/views.py
@@ -33,6 +33,7 @@ from django.views.generic import TemplateView
 from django.contrib.auth.models import User
 from django.db.models import Q
 from django.db.models.functions import Coalesce
+from django.http import Http404
 
 from ..ui.templatetags.markup import restructuredtext
 
@@ -44,11 +45,26 @@ import simplejson as json
 #------------------------------------------------
 
 
+# Permissions for viewing a report is complicated:
+# 'E' means that the specific type of user may view the editable mode
+# of the report when the report is in the specified state.
+# 'V' is the same, but for the view-only mode
+# REPORT STATE:       | Editable  | Locked    | Published |
+# USER:               -------------------------------------
+# Author              | E, V      | V         | V         |
+# BEAT User           | V         | V         | V         |
+# Anon                |           | V         | V         |
+# Public Reports List |           |           | V         |
 def by_number(request, number):
-
     # get the query from the DB
     obj = get_object_or_404(Report, number=int(number))
 
+    isAnon = request.user.is_anonymous()
+
+    if obj.status == 'E' and isAnon:
+        # return 404
+        raise Http404('No %s matches the given query.' % Report._meta.object_name)
+
     return render_to_response('reports/report.html',
             {
                 'report_number' : number,
@@ -63,12 +79,16 @@ def by_number(request, number):
 
 
 def for_author(request, author_name, report_name):
-
     # get the query from the DB
     obj = get_object_or_404(Report,
             author__username = author_name,
             name = report_name)
 
+    isAuthor = request.user.username == obj.author.username
+
+    if not isAuthor:
+        # return 404
+        raise Http404('No %s matches the given query.' % Report._meta.object_name)
 
     return render_to_response('reports/report.html',
             {
-- 
GitLab