Merge pull request #2933 from bacongobbler/2858-403-app-errors

Matthew Fisher · Matthew Fisher · commit fd558f97c117 · 2015-01-22T14:19:21.000-08:00
fix(controller): return 403 when a user does not have permission
diff --git a/controller/api/tests/test_app.py b/controller/api/tests/test_app.py
@@ -10,7 +10,6 @@
 import mock
 import os.path
 import requests
-import unittest
 
 from django.conf import settings
 from django.contrib.auth.models import User
@@ -268,7 +267,6 @@ def test_run_without_release_should_error(self):
         self.assertEqual(response.data, "No build associated with this release "
                                         "to run this command")
 
-    @unittest.expectedFailure
     def test_unauthorized_user_cannot_see_app(self):
         """
         An unauthorized user should not be able to access an app's resources.
diff --git a/controller/api/tests/test_container.py b/controller/api/tests/test_container.py
@@ -9,7 +9,6 @@
 import json
 import mock
 import requests
-import unittest
 
 from django.contrib.auth.models import User
 from django.test import TransactionTestCase
@@ -541,7 +540,6 @@ def test_run_command_good(self):
         rc, output = c.run('echo hi')
         self.assertEqual(json.loads(output)['entrypoint'], '/runner/init')
 
-    @unittest.expectedFailure
     def test_scale_with_unauthorized_user_returns_403(self):
         """An unauthorized user should not be able to access an app's resources.
 
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -107,9 +107,24 @@ class AppViewSet(BaseDeisViewSet):
     model = models.App
     serializer_class = serializers.AppSerializer
 
-    def get_queryset(self, **kwargs):
-        return super(AppViewSet, self).get_queryset(**kwargs) | \
+    def get_queryset(self, *args, **kwargs):
+        return self.model.objects.all(*args, **kwargs)
+
+    def list(self, request, *args, **kwargs):
+        """
+        HACK: Instead of filtering by the queryset, we limit the queryset to list only the apps
+        which are owned by the user as well as any apps they have been given permission to
+        interact with.
+        """
+        queryset = super(AppViewSet, self).get_queryset(**kwargs) | \
             get_objects_for_user(self.request.user, 'api.use_app')
+        instance = self.filter_queryset(queryset)
+        page = self.paginate_queryset(instance)
+        if page is not None:
+            serializer = self.get_pagination_serializer(page)
+        else:
+            serializer = self.get_serializer(instance, many=True)
+        return Response(serializer.data)
 
     def post_save(self, app):
         app.create()
