add candidate user in request, require_same_user_or_profile decorator and use it to have easier auth policy check for user data

tracim/lib/core/user.py

@@ -106,16 +106,6 @@ class UserApi(object):
         except (WrongUserPassword, NoResultFound, UserNotExist):
             raise AuthenticationFailed()
 
-    def can_see_private_info_of_user(self, user: User):
-        """
-        Return boolean wheter current api user has right
-        to see private information of a user.
-        :param user:
-        :return:
-        """
-        return self._user and (
-                self._user.user_id == user.user_id or
-                self._user.profile.id >= Group.TIM_ADMIN)
     # Actions
 
     def update(

tracim/lib/utils/authorization.py

@@ -44,6 +44,26 @@ class AcceptAllAuthorizationPolicy(object):
 # We prefer to use decorators
 
 
+def require_same_user_or_profile(group):
+    """
+    Decorator for view to restrict access of tracim request if candidate user
+    is distinct from authenticated user and not with high enough profile.
+    :param group: value from Group Object
+    like Group.TIM_USER or Group.TIM_MANAGER
+    :return:
+    """
+    def decorator(func):
+        def wrapper(self, context, request: 'TracimRequest'):
+            auth_user = request.current_user
+            candidate_user = request.candidate_user
+            if auth_user.user_id == candidate_user.user_id or \
+                    auth_user.profile.id >= group:
+                return func(self, context, request)
+            raise InsufficientUserProfile()
+        return wrapper
+    return decorator
+
+
 def require_profile(group):
     """
     Decorator for view to restrict access of tracim request if profile is

tracim/lib/utils/request.py

@@ -1,8 +1,11 @@
-import typing
+# -*- coding: utf-8 -*-
+"""
+TracimRequest and related functions
+"""
 from pyramid.request import Request
 from sqlalchemy.orm.exc import NoResultFound
 
-from tracim.exceptions import NotAuthentificated
+from tracim.exceptions import NotAuthentificated, UserNotExist
 from tracim.exceptions import WorkspaceNotFound
 from tracim.exceptions import ImmutableAttribute
 from tracim.lib.core.user import UserApi
@@ -32,8 +35,13 @@ class TracimRequest(Request):
             decode_param_names,
             **kw
         )
+        # Current workspace, found by request headers or content
         self._current_workspace = None  # type: Workspace
+        # Authenticated user
         self._current_user = None  # type: User
+        # User found from request headers, content, distinct from authenticated
+        # user
+        self._user_candidate = None  # type: User
 
     @property
     def current_workspace(self) -> Workspace:
@@ -62,8 +70,11 @@ class TracimRequest(Request):
 
     @property
     def current_user(self) -> User:
+        """
+        Get user from authentication mecanism.
+        """
         if self._current_user is None:
-            self.current_user = get_safe_user(self)
+            self.current_user = get_auth_safe_user(self)
         return self._current_user
 
     @current_user.setter
@@ -74,11 +85,55 @@ class TracimRequest(Request):
             )
         self._current_user = user
 
+    # TODO - G.M - 24-05-2018 - Find a better naming for this ?
+    @property
+    def candidate_user(self) -> User:
+        """
+        Get user from headers/body request. This user is not
+        the one found by authentication mecanism. This user
+        can help user to know about who one page is about in
+        a similar way as current_workspace.
+        """
+        if self._user_candidate is None:
+            self.candidate_user = get_candidate_user(self)
+        return self._user_candidate
+
+    @candidate_user.setter
+    def candidate_user(self, user: User) -> None:
+        if self._user_candidate is not None:
+            raise ImmutableAttribute(
+                "Can't modify already setted candidate_user"
+            )
+        self._user_candidate = user
 ###
 # Utils for TracimRequest
 ###
 
-def get_safe_user(
+
+def get_candidate_user(
+        request: TracimRequest
+) -> User:
+    """
+    Get candidate user
+    :param request: pyramid request
+    :return: user found from header/body
+    """
+    app_config = request.registry.settings['CFG']
+    uapi = UserApi(None, session=request.dbsession, config=app_config)
+
+    try:
+        login = None
+        if 'user_id' in request.matchdict:
+            login = request.matchdict['user_id']
+        if not login:
+            raise UserNotExist('no user_id found, incorrect request ?')
+        user = uapi.get_one(login)
+    except NoResultFound:
+        raise NotAuthentificated('User not found')
+    return user
+
+
+def get_auth_safe_user(
         request: TracimRequest,
 ) -> User:
     """

tracim/views/core_api/user_controller.py

@@ -1,6 +1,8 @@
 from pyramid.config import Configurator
 from sqlalchemy.orm.exc import NoResultFound
 
+from tracim.lib.utils.authorization import require_same_user_or_profile
+from tracim.models import Group
 from tracim.models.context_models import WorkspaceInContext
 
 try:  # Python 3.5+
@@ -21,27 +23,17 @@ from tracim.views.core_api.schemas import UserIdPathSchema, \
 class UserController(Controller):
 
     @hapic.with_api_doc()
-    @hapic.input_path(UserIdPathSchema())
     @hapic.handle_exception(NotAuthentificated, HTTPStatus.UNAUTHORIZED)
     @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(UserNotExist, HTTPStatus.NOT_FOUND)
+    @require_same_user_or_profile(Group.TIM_ADMIN)
+    @hapic.input_path(UserIdPathSchema())
     @hapic.output_body(WorkspaceDigestSchema(many=True),)
     def user_workspace(self, context, request: TracimRequest, hapic_data=None):
         """
         Get list of user workspaces
         """
         app_config = request.registry.settings['CFG']
-
-        uid = hapic_data.path['user_id']
-        uapi = UserApi(
-            request.current_user,
-            session=request.dbsession,
-            config=app_config,
-        )
-        user = uapi.get_one(uid)
-        if not uapi.can_see_private_info_of_user(user):
-            raise InsufficientUserProfile()
-
         wapi = WorkspaceApi(
             current_user=request.current_user,  # User
             session=request.dbsession,
@@ -49,7 +41,7 @@ class UserController(Controller):
         )
         return [
             WorkspaceInContext(workspace, request.dbsession, app_config)
-            for workspace in wapi.get_all_for_user(user)
+            for workspace in wapi.get_all_for_user(request.candidate_user)
         ]
 
     def bind(self, configurator: Configurator) -> None: