Refining access controls

craws · Jan 2, 2025 · cead75c · cead75c
1 parent 9073a7c
commit cead75c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 9 deletions.
diff --git a/openatlas/display/util.py b/openatlas/display/util.py
@@ -137,14 +137,15 @@ def format_entity_date(
 
 
 def profile_image_table_link(entity: Entity, file: Entity, ext: str) -> str:
-    if file.id == entity.image_id:
-        return link(
-            _('unset'),
-            url_for('remove_profile_image', entity_id=entity.id))
-    if ext in g.display_file_ext:
-        return link(
-            _('set'),
-            url_for('set_profile_image', id_=file.id, origin_id=entity.id))
+    if is_authorized('contributor'):
+        if file.id == entity.image_id:
+            return link(
+                _('unset'),
+                url_for('remove_profile_image', entity_id=entity.id))
+        if ext in g.display_file_ext:
+            return link(
+                _('set'),
+                url_for('set_profile_image', id_=file.id, origin_id=entity.id))
     return ''
 
 

diff --git a/openatlas/views/file.py b/openatlas/views/file.py
@@ -24,8 +24,8 @@
     count_files_to_convert, count_files_to_delete, get_disk_space_info)
 
 
-@required_group('readonly')
 @app.route('/file')
+@required_group('readonly')
 def file_index() -> str:
     tabs = {
         'settings': Tab(
@@ -87,12 +87,14 @@ def display_logo(filename: str) -> Any:
 
 
 @app.route('/set_profile_image/<int:id_>/<int:origin_id>')
+@required_group('contributor')
 def set_profile_image(id_: int, origin_id: int) -> Response:
     Entity.set_profile_image(id_, origin_id)
     return redirect(url_for('view', id_=origin_id))
 
 
 @app.route('/remove_profile_image/<int:entity_id>')
+@required_group('contributor')
 def remove_profile_image(entity_id: int) -> Response:
     entity = Entity.get_by_id(entity_id)
     entity.remove_profile_image()

diff --git a/openatlas/views/note.py b/openatlas/views/note.py
@@ -24,6 +24,7 @@ class NoteForm(FlaskForm):
 
 
 @app.route('/note/view/<int:id_>')
+@required_group('readonly')
 def note_view(id_: int) -> str:
     note = User.get_note_by_id(id_)
     if (not note['public']