Add permissions to custom filters

DavidMStraub · DavidMStraub · commit 2176ea9d0ddd · 2024-04-27T17:34:24.000+02:00
diff --git a/gramps_webapi/api/resources/filters.py b/gramps_webapi/api/resources/filters.py
@@ -23,15 +23,17 @@
 from typing import Any, Dict, List, Optional, Set
 
 import gramps.gen.filters as filters
-from flask import Response, abort
+from flask import Response, abort, current_app
 from gramps.gen.db.base import DbReadBase
 from gramps.gen.filters import GenericFilter
 from marshmallow import Schema
 from webargs import ValidationError, fields, validate
 
-from ..util import abort_with_message, use_args
-from ...const import GRAMPS_NAMESPACES
+from ...auth.const import PERM_EDIT_CUSTOM_FILTER
+from ...const import GRAMPS_NAMESPACES, TREE_MULTI
 from ...types import Handle
+from ..auth import require_permissions
+from ..util import abort_with_message, use_args
 from . import ProtectedResource
 from .emit import GrampsJSONEncoder
 
@@ -235,6 +237,11 @@ def get(self, args: Dict[str, str], namespace: str) -> Response:
     @use_args(CustomFilterSchema(), location="json")
     def post(self, args: Dict, namespace: str) -> Response:
         """Create a custom filter."""
+        if current_app.config["TREE"] == TREE_MULTI:
+            abort_with_message(
+                405, "Custom filters cannot be edited in a multi-tree setup"
+            )
+        require_permissions([PERM_EDIT_CUSTOM_FILTER])
         try:
             namespace = GRAMPS_NAMESPACES[namespace]
         except KeyError:
@@ -252,6 +259,11 @@ def post(self, args: Dict, namespace: str) -> Response:
     @use_args(CustomFilterSchema(), location="json")
     def put(self, args: Dict, namespace: str) -> Response:
         """Update a custom filter."""
+        if current_app.config["TREE"] == TREE_MULTI:
+            abort_with_message(
+                405, "Custom filters cannot be edited in a multi-tree setup"
+            )
+        require_permissions([PERM_EDIT_CUSTOM_FILTER])
         try:
             namespace = GRAMPS_NAMESPACES[namespace]
         except KeyError:
@@ -294,6 +306,11 @@ def get(self, namespace: str, name: str) -> Response:
     )
     def delete(self, args: Dict, namespace: str, name: str) -> Response:
         """Delete a custom filter."""
+        if current_app.config["TREE"] == TREE_MULTI:
+            abort_with_message(
+                405, "Custom filters cannot be edited in a multi-tree setup"
+            )
+        require_permissions([PERM_EDIT_CUSTOM_FILTER])
         try:
             namespace = GRAMPS_NAMESPACES[namespace]
         except KeyError:
diff --git a/gramps_webapi/auth/const.py b/gramps_webapi/auth/const.py
@@ -62,6 +62,7 @@
 PERM_EDIT_SETTINGS = "EditSettings"
 PERM_TRIGGER_REINDEX = "TriggerReindex"
 PERM_EDIT_NAME_GROUP = "EditNameGroup"
+PERM_EDIT_CUSTOM_FILTER = "EditCustomFilter"
 PERM_EDIT_TREE = "EditTree"
 PERM_REPAIR_TREE = "RepairTree"
 PERM_UPGRADE_TREE_SCHEMA = "UpgradeSchema"
@@ -88,6 +89,7 @@
     PERM_EDIT_OBJ,
     PERM_DEL_OBJ,
     PERM_EDIT_NAME_GROUP,
+    PERM_EDIT_CUSTOM_FILTER,
 }
 
 
