From 3f3e43ad2d4ca6e1261aa4d81cd0c9281b5dc5c0 Mon Sep 17 00:00:00 2001
From: Jon <jonathon.lockwood@networkedweb.com>
Date: Fri, 27 Dec 2024 18:25:18 +0930
Subject: [PATCH] feat(access): Enforce view action and HTTP/Method match for
 permission checks

ref: #442
---
 app/access/mixins/permissions.py | 45 +++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 15 deletions(-)

diff --git a/app/access/mixins/permissions.py b/app/access/mixins/permissions.py
index b6d7630b5..b8d0ea932 100644
--- a/app/access/mixins/permissions.py
+++ b/app/access/mixins/permissions.py
@@ -102,42 +102,54 @@ def has_permission(self, request, view):
 
             if(
                 view.action == 'create'
-                or getattr(view.request._stream, 'method', '') == 'POST'
+                and getattr(view.request._stream, 'method', '') == 'POST'
             ):
 
                 view_action = 'add'
 
-            elif (
-                view.action == 'partial_update'
-                or view.action == 'update'
-                or getattr(view.request._stream, 'method', '') == 'PATCH'
-                or getattr(view.request._stream, 'method', '') == 'PUT'
+            elif(
+                view.action == 'destroy'
+                and getattr(view.request._stream, 'method', '') == 'DELETE'
             ):
 
-                view_action = 'change'
+                view_action = 'delete'
 
                 obj_organization: Organization = view.get_obj_organization(
                     obj = view.get_object()
                 )
 
-            elif(
-                view.action == 'destroy'
-                or getattr(view.request._stream, 'method', '') == 'DELETE'
+            elif (
+                view.action == 'list'
             ):
 
-                view_action = 'delete'
+                view_action = 'view'
+
+            elif (
+                view.action == 'partial_update'
+                and getattr(view.request._stream, 'method', '') == 'PATCH'
+            ):
+
+                view_action = 'change'
 
                 obj_organization: Organization = view.get_obj_organization(
                     obj = view.get_object()
                 )
 
             elif (
-                view.action == 'list'
+                view.action == 'update'
+                and getattr(view.request._stream, 'method', '') == 'PUT'
             ):
 
-                view_action = 'view'
+                view_action = 'change'
+
+                obj_organization: Organization = view.get_obj_organization(
+                    obj = view.get_object()
+                )
 
-            elif view.action == 'retrieve':
+            elif(
+                view.action == 'retrieve'
+                and getattr(view.request._stream, 'method', '') == 'GET' 
+            ):
 
                 view_action = 'view'
 
@@ -145,7 +157,10 @@ def has_permission(self, request, view):
                     obj = view.get_object()
                 )
 
-            elif view.action == 'metadata':
+            elif(
+                view.action == 'metadata'
+                and getattr(view.request._stream, 'method', '') == 'OPTIONS'
+            ):
 
                 return True