Skip to content

Commit

Permalink
Fix stage and state modification permission (#4324)
Browse files Browse the repository at this point in the history 
Co-authored-by: Matyesz12 <[email protected]>
  • Loading branch information
@bseres99 @turi-mate
bseres99 and turi-mate authored Feb 15, 2022
1 parent 2f1e89c commit a676862
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 3 deletions.
6 changes: 3 additions & 3 deletions cvat/apps/engine/tests/test_rest_api.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,7 @@ def test_api_v2_jobs_id_owner(self):
def test_api_v2_jobs_id_annotator(self):
data = {"stage": StageChoice.ANNOTATION, "assignee": self.annotator.id}
response = self._run_api_v2_jobs_id(self.job.id, self.annotator, data)
self._check_request(response, data)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
response = self._run_api_v2_jobs_id(self.job.id + 10, self.annotator, data)
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)

Expand Down Expand Up @@ -391,8 +391,8 @@ def _run_api_v2_jobs_id(self, jid, user, data):

def test_api_v2_jobs_id_annotator_partial(self):
data = {"stage": StageChoice.ANNOTATION}
response = self._run_api_v2_jobs_id(self.job.id, self.owner, data)
self._check_request(response, data)
response = self._run_api_v2_jobs_id(self.job.id, self.annotator, data)
self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN, response)

def test_api_v2_jobs_id_admin_partial(self):
data = {"assignee_id": self.user.id}
Expand Down
4 changes: 4 additions & 0 deletions cvat/apps/iam/permissions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -788,6 +788,10 @@ def get_scopes(cls, request, view, obj):
project_id = request.data.get('project_id') or request.data.get('project')
if project_id != getattr(obj.project, 'id', None):
scopes.append(scope + ':project')
if 'stage' in request.data:
scopes.append(scope + ':stage')
if 'state' in request.data:
scopes.append(scope + ':state')

if any(k in request.data for k in ('name', 'labels', 'bug_tracker', 'subset')):
scopes.append(scope + ':desc')
Expand Down

0 comments on commit a676862

Please sign in to comment.