Fixed permissions on alert comments.

source/app/blueprints/rest/v2/alerts.py

@@ -226,7 +226,12 @@ def get_related_alerts(self, identifier):
 
     def update(self, identifier):
         try:
-            alert = alerts_get(iris_current_user, (session.get('permissions') or 0), identifier)
+            alert = alerts_get(
+                iris_current_user,
+                (session.get('permissions') or 0),
+                identifier,
+                fallback_customer_access=ac_current_user_has_customer_access
+            )
             request_data = request.get_json()
             updated_alert = self._schema.load(request_data, instance=alert, partial=True)
             activity_data = []

source/app/blueprints/rest/v2/alerts_routes/comments.py

@@ -22,6 +22,7 @@
 from marshmallow.exceptions import ValidationError
 
 from app.blueprints.access_controls import ac_api_requires
+from app.blueprints.access_controls import ac_current_user_has_customer_access
 from app.models.authorization import Permissions
 from app.blueprints.rest.endpoints import response_api_paginated
 from app.blueprints.rest.endpoints import response_api_success
@@ -51,15 +52,27 @@ def __init__(self):
     def search(self, alert_identifier):
         pagination_parameters = parse_pagination_parameters(request)
         try:
-            comments = comments_get_filtered_by_alert(iris_current_user, (session.get('permissions') or 0), alert_identifier, pagination_parameters)
+            comments = comments_get_filtered_by_alert(
+                iris_current_user,
+                (session.get('permissions') or 0),
+                alert_identifier,
+                pagination_parameters,
+                fallback_customer_access=ac_current_user_has_customer_access
+            )
             return response_api_paginated(self._schema, comments)
         except ObjectNotFoundError:
             return response_api_not_found()
 
     def create(self, alert_identifier):
         try:
             comment = self._schema.load(request.get_json())
-            comments_create_for_alert(iris_current_user, (session.get('permissions') or 0), comment, alert_identifier)
+            comments_create_for_alert(
+                iris_current_user,
+                (session.get('permissions') or 0),
+                comment,
+                alert_identifier,
+                fallback_customer_access=ac_current_user_has_customer_access
+            )
             result = self._schema.dump(comment)
             return response_api_created(result)
         except ValidationError as e:
@@ -69,7 +82,12 @@ def create(self, alert_identifier):
 
     def read(self, alert_identifier, identifier):
         try:
-            alert = alerts_get(iris_current_user, (session.get('permissions') or 0), alert_identifier)
+            alert = alerts_get(
+                iris_current_user,
+                (session.get('permissions') or 0),
+                alert_identifier,
+                fallback_customer_access=ac_current_user_has_customer_access
+            )
             comment = comments_get_for_alert(alert, identifier)
             result = self._schema.dump(comment)
             return response_api_success(result)
@@ -85,7 +103,12 @@ def update(self, alert_identifier, identifier):
 
     def delete(self, alert_identifier, identifier):
         try:
-            alert = alerts_get(iris_current_user, (session.get('permissions') or 0), alert_identifier)
+            alert = alerts_get(
+                iris_current_user,
+                (session.get('permissions') or 0),
+                alert_identifier,
+                fallback_customer_access=ac_current_user_has_customer_access
+            )
             comment = comments_get_for_alert(alert, identifier)
             if comment.comment_user_id != iris_current_user.id:
                 return ac_api_return_access_denied()

source/app/business/comments.py

@@ -67,8 +67,8 @@
 from app.models.alerts import Alert
 
 
-def comments_get_filtered_by_alert(current_user, permissions, alert_identifier: int, pagination_parameters: PaginationParameters) -> Pagination:
-    if not alerts_exists(current_user, permissions, alert_identifier):
+def comments_get_filtered_by_alert(current_user, permissions, alert_identifier: int, pagination_parameters: PaginationParameters, fallback_customer_access=None) -> Pagination:
+    if not alerts_exists(current_user, permissions, alert_identifier, fallback_customer_access):
         raise ObjectNotFoundError()
 
     return get_filtered_alert_comments(alert_identifier, pagination_parameters)
@@ -121,8 +121,8 @@ def comments_update_for_case(current_user, comment_text, comment_id, object_type
     return comment
 
 
-def comments_create_for_alert(current_user, permissions, comment: Comments, alert_identifier: int):
-    alert = alerts_get(current_user, permissions, alert_identifier)
+def comments_create_for_alert(current_user, permissions, comment: Comments, alert_identifier: int, fallback_customer_access=None):
+    alert = alerts_get(current_user, permissions, alert_identifier, fallback_customer_access)
     comment.comment_alert_id = alert_identifier
     comment.comment_user_id = current_user.id
     comment.comment_date = datetime.now()