permissions checking for Field API endpoints

9e466d8b · Cam Saul · 37925177 · 9e466d8b · 9e466d8b · 9e466d8b
Commit 9e466d8b authored 10 years ago by Cam Saul
--- a/src/metabase/api/meta/field.clj
+++ b/src/metabase/api/meta/field.clj
@@ -6,18 +6,18 @@
                             [field :refer [Field]])))

 (defendpoint GET "/:id" [id]
-  ;; TODO check can read
-  (->404 (sel :one Field :id id)
-         (hydrate [:table :db])))
+  (let-404 [{:keys [can_read] :as field} (sel :one Field :id id)]
+    (check-403 @can_read)
+    (hydrate field [:table :db])))

 (defendpoint PUT "/:id" [id :as {{:keys [special_type preview_display description]} :body}]
-  (check-404 (exists? Field :id id))
-  ;; TODO check can write
+  (let-404 [{:keys [can_write]} (sel :one Field :id id)]
+    (check-403 @can_write))
  (upd Field id :special_type special_type :preview_display preview_display :description description))

 (defendpoint GET "/:id/summary" [id]
-  ;; TODO - check can read
-  (let-404 [{:keys [count distinct-count]} (sel :one Field :id id)]
+  (let-404 [{:keys [can_read count distinct-count]} (sel :one Field :id id)]
+    (check-403 @can_read)
    [[:count @count]
     [:distincts @distinct-count]]))


--- a/src/metabase/models/field.clj
+++ b/src/metabase/models/field.clj
@@ -70,7 +70,8 @@
  (util/assoc* field
               :table (sel-fn :one "metabase.models.table/Table" :id table_id)
               :db (delay ((:db ((:table <>)))))
-               :can_read (delay (:can_read @(:db <>)))
+               :can_read (delay @(:can_read ((:table <>))))
+               :can_write (delay @(:can_write ((:table <>))))
               :count (delay (field-count <>))
               :distinct-count (delay (field-distinct-count <>))))


--- a/src/metabase/models/table.clj
+++ b/src/metabase/models/table.clj
@@ -21,7 +21,9 @@
  (util/assoc* table
               :db (sel-fn :one Database :id db_id)
               :fields (sel-fn :many Field :table_id id)
-               :jdbc-columns (delay (jdbc-columns ((:db <>)) name))))
+               :jdbc-columns (delay (jdbc-columns ((:db <>)) name))
+               :can_read (delay @(:can_read ((:db <>))))
+               :can_write (delay @(:can_write ((:db <>))))))

 (defmethod pre-insert Table [_ table]
  (assoc table