From cead75cce6940145d2ce7599dc888a0081f71397 Mon Sep 17 00:00:00 2001
From: Alexander Watzinger <alexander.watzinger@craws.net>
Date: Thu, 2 Jan 2025 17:02:06 +0100
Subject: [PATCH] Refining access controls

---
 openatlas/display/util.py | 17 +++++++++--------
 openatlas/views/file.py   |  4 +++-
 openatlas/views/note.py   |  1 +
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/openatlas/display/util.py b/openatlas/display/util.py
index 3bdc8ecec..aa73cba29 100644
--- a/openatlas/display/util.py
+++ b/openatlas/display/util.py
@@ -137,14 +137,15 @@ def format_entity_date(
 
 
 def profile_image_table_link(entity: Entity, file: Entity, ext: str) -> str:
-    if file.id == entity.image_id:
-        return link(
-            _('unset'),
-            url_for('remove_profile_image', entity_id=entity.id))
-    if ext in g.display_file_ext:
-        return link(
-            _('set'),
-            url_for('set_profile_image', id_=file.id, origin_id=entity.id))
+    if is_authorized('contributor'):
+        if file.id == entity.image_id:
+            return link(
+                _('unset'),
+                url_for('remove_profile_image', entity_id=entity.id))
+        if ext in g.display_file_ext:
+            return link(
+                _('set'),
+                url_for('set_profile_image', id_=file.id, origin_id=entity.id))
     return ''
 
 
diff --git a/openatlas/views/file.py b/openatlas/views/file.py
index 3e37b8ab6..fe03ab078 100644
--- a/openatlas/views/file.py
+++ b/openatlas/views/file.py
@@ -24,8 +24,8 @@
     count_files_to_convert, count_files_to_delete, get_disk_space_info)
 
 
-@required_group('readonly')
 @app.route('/file')
+@required_group('readonly')
 def file_index() -> str:
     tabs = {
         'settings': Tab(
@@ -87,12 +87,14 @@ def display_logo(filename: str) -> Any:
 
 
 @app.route('/set_profile_image/<int:id_>/<int:origin_id>')
+@required_group('contributor')
 def set_profile_image(id_: int, origin_id: int) -> Response:
     Entity.set_profile_image(id_, origin_id)
     return redirect(url_for('view', id_=origin_id))
 
 
 @app.route('/remove_profile_image/<int:entity_id>')
+@required_group('contributor')
 def remove_profile_image(entity_id: int) -> Response:
     entity = Entity.get_by_id(entity_id)
     entity.remove_profile_image()
diff --git a/openatlas/views/note.py b/openatlas/views/note.py
index 2ea7719ea..1f679d969 100644
--- a/openatlas/views/note.py
+++ b/openatlas/views/note.py
@@ -24,6 +24,7 @@ class NoteForm(FlaskForm):
 
 
 @app.route('/note/view/<int:id_>')
+@required_group('readonly')
 def note_view(id_: int) -> str:
     note = User.get_note_by_id(id_)
     if (not note['public']