Disallow API access for non-Fairphone-staff users
authorMitja Nikolaus <mitja@fairphone.com>
Mon, 5 Nov 2018 09:22:22 +0000 (10:22 +0100)
committerMitja Nikolaus <mitja@fairphone.com>
Thu, 6 Dec 2018 14:34:09 +0000 (14:34 +0000)
Do not give permissions for users that are not in the Fairphone
staff group.

Issue: HIC-250
Change-Id: I400eade07396d24e6168ae12561a643a403b8491

crashreports/permissions.py

index 4ee567d..331c3a2 100644 (file)
@@ -36,8 +36,7 @@ def user_is_hiccup_staff(user):
     """Determine whether a user is part of the Hiccup staff.
 
     Returns true if either the user is part of the group
-    "FairphoneSoftwareTeam", or he/she has all permissions for manipulating
-    crashreports, heartbeats and logfiles.
+    "FairphoneSoftwareTeam".
 
     Args:
         user: The user making the request.
@@ -45,24 +44,7 @@ def user_is_hiccup_staff(user):
     Returns: True if user is part of the Hiccup staff.
 
     """
-    if user.groups.filter(name=FP_STAFF_GROUP_NAME).exists():
-        return True
-    return user.has_perms(
-        [
-            # Crashreports
-            "crashreports.add_crashreport",
-            "crashreports.change_crashreport",
-            "crashreports.del_crashreport",
-            # Heartbeats
-            "heartbeat.add_crashreport",
-            "heartbeat.change_crashreport",
-            "heartbeat.del_crashreport",
-            # Logfiles
-            "heartbeat.add_logfile",
-            "heartbeat.change_logfile",
-            "heartbeat.del_logfile",
-        ]
-    )
+    return user.groups.filter(name=FP_STAFF_GROUP_NAME).exists()
 
 
 class HasStatsAccess(BasePermission):