From beb4e841baf0ba9fa120ba180c25306c68132406 Mon Sep 17 00:00:00 2001 From: fatpeppapig Date: Wed, 8 Apr 2026 11:12:26 +0200 Subject: [PATCH] Fixed permissions on alert comments. --- source/app/blueprints/rest/v2/alerts.py | 7 ++++- .../rest/v2/alerts_routes/comments.py | 31 ++++++++++++++++--- source/app/business/comments.py | 8 ++--- 3 files changed, 37 insertions(+), 9 deletions(-) diff --git a/source/app/blueprints/rest/v2/alerts.py b/source/app/blueprints/rest/v2/alerts.py index 1245fe2ba..b3a4f3d21 100644 --- a/source/app/blueprints/rest/v2/alerts.py +++ b/source/app/blueprints/rest/v2/alerts.py @@ -226,7 +226,12 @@ def get_related_alerts(self, identifier): def update(self, identifier): try: - alert = alerts_get(iris_current_user, (session.get('permissions') or 0), identifier) + alert = alerts_get( + iris_current_user, + (session.get('permissions') or 0), + identifier, + fallback_customer_access=ac_current_user_has_customer_access + ) request_data = request.get_json() updated_alert = self._schema.load(request_data, instance=alert, partial=True) activity_data = [] diff --git a/source/app/blueprints/rest/v2/alerts_routes/comments.py b/source/app/blueprints/rest/v2/alerts_routes/comments.py index 433ab9bdb..84c92d629 100644 --- a/source/app/blueprints/rest/v2/alerts_routes/comments.py +++ b/source/app/blueprints/rest/v2/alerts_routes/comments.py @@ -22,6 +22,7 @@ from marshmallow.exceptions import ValidationError from app.blueprints.access_controls import ac_api_requires +from app.blueprints.access_controls import ac_current_user_has_customer_access from app.models.authorization import Permissions from app.blueprints.rest.endpoints import response_api_paginated from app.blueprints.rest.endpoints import response_api_success @@ -51,7 +52,13 @@ def __init__(self): def search(self, alert_identifier): pagination_parameters = parse_pagination_parameters(request) try: - comments = comments_get_filtered_by_alert(iris_current_user, (session.get('permissions') or 0), alert_identifier, pagination_parameters) + comments = comments_get_filtered_by_alert( + iris_current_user, + (session.get('permissions') or 0), + alert_identifier, + pagination_parameters, + fallback_customer_access=ac_current_user_has_customer_access + ) return response_api_paginated(self._schema, comments) except ObjectNotFoundError: return response_api_not_found() @@ -59,7 +66,13 @@ def search(self, alert_identifier): def create(self, alert_identifier): try: comment = self._schema.load(request.get_json()) - comments_create_for_alert(iris_current_user, (session.get('permissions') or 0), comment, alert_identifier) + comments_create_for_alert( + iris_current_user, + (session.get('permissions') or 0), + comment, + alert_identifier, + fallback_customer_access=ac_current_user_has_customer_access + ) result = self._schema.dump(comment) return response_api_created(result) except ValidationError as e: @@ -69,7 +82,12 @@ def create(self, alert_identifier): def read(self, alert_identifier, identifier): try: - alert = alerts_get(iris_current_user, (session.get('permissions') or 0), alert_identifier) + alert = alerts_get( + iris_current_user, + (session.get('permissions') or 0), + alert_identifier, + fallback_customer_access=ac_current_user_has_customer_access + ) comment = comments_get_for_alert(alert, identifier) result = self._schema.dump(comment) return response_api_success(result) @@ -85,7 +103,12 @@ def update(self, alert_identifier, identifier): def delete(self, alert_identifier, identifier): try: - alert = alerts_get(iris_current_user, (session.get('permissions') or 0), alert_identifier) + alert = alerts_get( + iris_current_user, + (session.get('permissions') or 0), + alert_identifier, + fallback_customer_access=ac_current_user_has_customer_access + ) comment = comments_get_for_alert(alert, identifier) if comment.comment_user_id != iris_current_user.id: return ac_api_return_access_denied() diff --git a/source/app/business/comments.py b/source/app/business/comments.py index de06bd162..03c30e3dd 100644 --- a/source/app/business/comments.py +++ b/source/app/business/comments.py @@ -67,8 +67,8 @@ from app.models.alerts import Alert -def comments_get_filtered_by_alert(current_user, permissions, alert_identifier: int, pagination_parameters: PaginationParameters) -> Pagination: - if not alerts_exists(current_user, permissions, alert_identifier): +def comments_get_filtered_by_alert(current_user, permissions, alert_identifier: int, pagination_parameters: PaginationParameters, fallback_customer_access=None) -> Pagination: + if not alerts_exists(current_user, permissions, alert_identifier, fallback_customer_access): raise ObjectNotFoundError() return get_filtered_alert_comments(alert_identifier, pagination_parameters) @@ -121,8 +121,8 @@ def comments_update_for_case(current_user, comment_text, comment_id, object_type return comment -def comments_create_for_alert(current_user, permissions, comment: Comments, alert_identifier: int): - alert = alerts_get(current_user, permissions, alert_identifier) +def comments_create_for_alert(current_user, permissions, comment: Comments, alert_identifier: int, fallback_customer_access=None): + alert = alerts_get(current_user, permissions, alert_identifier, fallback_customer_access) comment.comment_alert_id = alert_identifier comment.comment_user_id = current_user.id comment.comment_date = datetime.now()