api: Restrict API scopes

This change adds support for restricting API scopes in the OpenDC API server. This is necessary to make a distinction between runners and regular users.
author: Fabian Mastenbroek <mail.fabianm@gmail.com> 2021-07-02 16:47:40 +0200
committer: Fabian Mastenbroek <mail.fabianm@gmail.com> 2021-07-02 18:09:58 +0200
commit: fa7ffd9d1594a5bc9dba4fc65af0a4100988341b (patch)
tree: e3ce768109e3cb02a4ae4bfb9cda32ebf0e066e2 /opendc-web/opendc-web-api/opendc/api/topologies.py
parent: a2a5979bfb392565b55e489b6020aa391e782eb0 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/opendc-web/opendc-web-api/opendc/api/topologies.py b/opendc-web/opendc-web-api/opendc/api/topologies.py
index a2d3f41a..c0b2e7ee 100644
--- a/opendc-web/opendc-web-api/opendc/api/topologies.py
+++ b/opendc-web/opendc-web-api/opendc/api/topologies.py
@@ -26,7 +26,7 @@ from marshmallow import Schema, fields
 
 from opendc.models.project import Project
 from opendc.models.topology import Topology as TopologyModel, TopologySchema
-from opendc.exts import current_user, requires_auth
+from opendc.exts import current_user, requires_auth, has_scope
 
 
 class Topology(Resource):
@@ -41,7 +41,11 @@ class Topology(Resource):
         """
         topology = TopologyModel.from_id(topology_id)
         topology.check_exists()
-        topology.check_user_access(current_user['sub'], False)
+
+        # Users with scope runner can access all topologies
+        if not has_scope('runner'):
+            topology.check_user_access(current_user['sub'], False)
+
         data = TopologySchema().dump(topology.obj)
         return {'data': data}
author	Fabian Mastenbroek <mail.fabianm@gmail.com>	2021-07-02 16:47:40 +0200
committer	Fabian Mastenbroek <mail.fabianm@gmail.com>	2021-07-02 18:09:58 +0200
commit	fa7ffd9d1594a5bc9dba4fc65af0a4100988341b (patch)
tree	e3ce768109e3cb02a4ae4bfb9cda32ebf0e066e2 /opendc-web/opendc-web-api/opendc/api/topologies.py
parent	a2a5979bfb392565b55e489b6020aa391e782eb0 (diff)