Merge pull request #2966 from emanuelschuetze/issue2956

Send only data to client which user is allowed to see (Fixed #2956).
This commit is contained in:
Emanuel Schütze 2017-02-15 20:18:45 +01:00 committed by GitHub
commit be342f752f
2 changed files with 21 additions and 21 deletions

View File

@ -25,8 +25,8 @@ class MediafileAccessPermissions(BaseAccessPermissions):
Returns the restricted serialized data for the instance prepared
for the user.
"""
data = None
if has_perm(user, 'mediafiles.can_see'):
if (not full_data['hidden'] or has_perm(user, 'mediafiles.can_see_hidden')):
data = full_data
else:
data = None
return data

View File

@ -47,6 +47,8 @@ class MotionAccessPermissions(BaseAccessPermissions):
is_submitter = False
required_permission_to_see = full_data['state_required_permission_to_see']
data = None
if has_perm(user, 'motions.can_see'):
if (not required_permission_to_see or
has_perm(user, required_permission_to_see) or
has_perm(user, 'motions.can_manage') or
@ -62,8 +64,6 @@ class MotionAccessPermissions(BaseAccessPermissions):
except IndexError:
# No data in range. Just do nothing.
pass
else:
data = None
return data
def get_projector_data(self, full_data):