feat: introduce known_types check

Refs #128128
inuits · Jul 4, 2024 · 07ed07c · 07ed07c
1 parent 1a51b01
commit 07ed07c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/src/elody/policies/permission_handler.py b/src/elody/policies/permission_handler.py
@@ -47,7 +47,7 @@ def handle_single_item_request(
 ):
     try:
         item_in_storage_format, flat_item, object_lists, restrictions_schema = (
-            __prepare_item_for_permission_check(item, permissions, crud)
+            __prepare_item_for_permission_check(item, permissions, crud, user_context)
         )
 
         is_allowed_to_crud_item = (
@@ -87,7 +87,9 @@ def __post_request_hook(response):
                     flat_item,
                     object_lists,
                     restrictions_schema,
-                ) = __prepare_item_for_permission_check(item, permissions, "read")
+                ) = __prepare_item_for_permission_check(
+                    item, permissions, "read", user_context
+                )
                 if not flat_item:
                     continue
 
@@ -111,9 +113,13 @@ def __post_request_hook(response):
     return __post_request_hook
 
 
-def __prepare_item_for_permission_check(item, permissions, crud):
+def __prepare_item_for_permission_check(item, permissions, crud, user_context):
     item = deepcopy(item.get("storage_format", item))
-    if item.get("type", "") not in permissions[crud].keys():
+    known_types = user_context.bag.get("known_types")
+    type = item.get("type", "")
+    if (type not in permissions[crud].keys()) or (
+        known_types is not None and type not in known_types
+    ):
         return item, None, None, None
 
     config = get_object_configuration_mapper().get(item["type"])

diff --git a/src/elody/policies/tenant_id_resolver.py b/src/elody/policies/tenant_id_resolver.py
@@ -316,7 +316,9 @@ def get_tenant_id(self, request: Request) -> str | None:
             regex.match(r"^/mediafiles/(.+)$", request.path)
             and request.method == "DELETE"
         ):
-            raise Exception(self._get_tenant_id_from_mediafile(request.view_args.get("id")))
+            raise Exception(
+                self._get_tenant_id_from_mediafile(request.view_args.get("id"))
+            )
             return self._get_tenant_id_from_mediafile(request.view_args.get("id"))
         return None