Add permissions to custom filters

DavidMStraub · DavidMStraub · commit 7a8154079b92 · 2025-05-30T13:53:30.000Z
diff --git a/gramps_webapi/api/resources/filters.py b/gramps_webapi/api/resources/filters.py
@@ -24,16 +24,18 @@
 from typing import Any, Dict, List, Optional, Set
 
 import gramps.gen.filters as filters
-from flask import Response, abort
+from flask import Response, abort, current_app
 from gramps.gen.db.base import DbReadBase
 from gramps.gen.filters import GenericFilter
 from gramps.gen.filters.rules import Rule
 from gramps.gen.lib import Person
 from marshmallow import Schema
 from webargs import ValidationError, fields, validate
 
-from ...const import GRAMPS_NAMESPACES
+from ...auth.const import PERM_EDIT_CUSTOM_FILTER
+from ...const import GRAMPS_NAMESPACES, TREE_MULTI
 from ...types import Handle
+from ..auth import require_permissions
 from ..util import abort_with_message, use_args
 from . import ProtectedResource
 from .emit import GrampsJSONEncoder
@@ -261,6 +263,11 @@ def get(self, args: Dict[str, str], namespace: str) -> Response:
     @use_args(CustomFilterSchema(), location="json")
     def post(self, args: Dict, namespace: str) -> Response:
         """Create a custom filter."""
+        if current_app.config["TREE"] == TREE_MULTI:
+            abort_with_message(
+                405, "Custom filters cannot be edited in a multi-tree setup"
+            )
+        require_permissions([PERM_EDIT_CUSTOM_FILTER])
         try:
             namespace = GRAMPS_NAMESPACES[namespace]
         except KeyError:
@@ -278,6 +285,11 @@ def post(self, args: Dict, namespace: str) -> Response:
     @use_args(CustomFilterSchema(), location="json")
     def put(self, args: Dict, namespace: str) -> Response:
         """Update a custom filter."""
+        if current_app.config["TREE"] == TREE_MULTI:
+            abort_with_message(
+                405, "Custom filters cannot be edited in a multi-tree setup"
+            )
+        require_permissions([PERM_EDIT_CUSTOM_FILTER])
         try:
             namespace = GRAMPS_NAMESPACES[namespace]
         except KeyError:
@@ -320,6 +332,11 @@ def get(self, namespace: str, name: str) -> Response:
     )
     def delete(self, args: Dict, namespace: str, name: str) -> Response:
         """Delete a custom filter."""
+        if current_app.config["TREE"] == TREE_MULTI:
+            abort_with_message(
+                405, "Custom filters cannot be edited in a multi-tree setup"
+            )
+        require_permissions([PERM_EDIT_CUSTOM_FILTER])
         try:
             namespace = GRAMPS_NAMESPACES[namespace]
         except KeyError:
diff --git a/gramps_webapi/auth/const.py b/gramps_webapi/auth/const.py
@@ -62,6 +62,7 @@
 PERM_EDIT_SETTINGS = "EditSettings"
 PERM_TRIGGER_REINDEX = "TriggerReindex"
 PERM_EDIT_NAME_GROUP = "EditNameGroup"
+PERM_EDIT_CUSTOM_FILTER = "EditCustomFilter"
 PERM_EDIT_TREE = "EditTree"
 PERM_REPAIR_TREE = "RepairTree"
 PERM_UPGRADE_TREE_SCHEMA = "UpgradeSchema"
@@ -92,6 +93,7 @@
     PERM_EDIT_OBJ,
     PERM_DEL_OBJ,
     PERM_EDIT_NAME_GROUP,
+    PERM_EDIT_CUSTOM_FILTER,
 }
 
 
