feat(access): Enforce view action and HTTP/Method match for permissio…

…n checks ref: #442
nofusscomputing · Dec 27, 2024 · 3f3e43a · 3f3e43a
1 parent f211f02
commit 3f3e43a
Showing 1 changed file with 30 additions and 15 deletions.
diff --git a/app/access/mixins/permissions.py b/app/access/mixins/permissions.py
@@ -102,50 +102,65 @@ def has_permission(self, request, view):
 
             if(
                 view.action == 'create'
-                or getattr(view.request._stream, 'method', '') == 'POST'
+                and getattr(view.request._stream, 'method', '') == 'POST'
             ):
 
                 view_action = 'add'
 
-            elif (
-                view.action == 'partial_update'
-                or view.action == 'update'
-                or getattr(view.request._stream, 'method', '') == 'PATCH'
-                or getattr(view.request._stream, 'method', '') == 'PUT'
+            elif(
+                view.action == 'destroy'
+                and getattr(view.request._stream, 'method', '') == 'DELETE'
             ):
 
-                view_action = 'change'
+                view_action = 'delete'
 
                 obj_organization: Organization = view.get_obj_organization(
                     obj = view.get_object()
                 )
 
-            elif(
-                view.action == 'destroy'
-                or getattr(view.request._stream, 'method', '') == 'DELETE'
+            elif (
+                view.action == 'list'
             ):
 
-                view_action = 'delete'
+                view_action = 'view'
+
+            elif (
+                view.action == 'partial_update'
+                and getattr(view.request._stream, 'method', '') == 'PATCH'
+            ):
+
+                view_action = 'change'
 
                 obj_organization: Organization = view.get_obj_organization(
                     obj = view.get_object()
                 )
 
             elif (
-                view.action == 'list'
+                view.action == 'update'
+                and getattr(view.request._stream, 'method', '') == 'PUT'
             ):
 
-                view_action = 'view'
+                view_action = 'change'
+
+                obj_organization: Organization = view.get_obj_organization(
+                    obj = view.get_object()
+                )
 
-            elif view.action == 'retrieve':
+            elif(
+                view.action == 'retrieve'
+                and getattr(view.request._stream, 'method', '') == 'GET' 
+            ):
 
                 view_action = 'view'
 
                 obj_organization: Organization = view.get_obj_organization(
                     obj = view.get_object()
                 )
 
-            elif view.action == 'metadata':
+            elif(
+                view.action == 'metadata'
+                and getattr(view.request._stream, 'method', '') == 'OPTIONS'
+            ):
 
                 return True