From 3d3b4d6da257e80de322fdfcf8e75019e9d7b46b Mon Sep 17 00:00:00 2001
From: terrtia <or1994@hotmail.fr>
Date: Mon, 24 Jun 2024 16:23:00 +0200
Subject: [PATCH] fix: [trackers] fix tracker view objects acl for global
 trackers

---
 bin/lib/Tracker.py            | 16 ++++++++++++++++
 var/www/blueprints/hunters.py |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/bin/lib/Tracker.py b/bin/lib/Tracker.py
index a4e41c90..3d46c1f1 100755
--- a/bin/lib/Tracker.py
+++ b/bin/lib/Tracker.py
@@ -762,6 +762,9 @@ def delete_obj_trackers(obj_type, subtype, obj_id):
 #### TRACKERS ACL ####
 
 ## LEVEL ##
+def is_tracker_global_level(tracker_uuid):
+    return r_tracker.hget(f'tracker:{tracker_uuid}', 'level') == 1
+
 def is_tracked_in_global_level(tracked, tracker_type):
     for tracker_uuid in get_trackers_by_tracked(tracker_type, tracked):
         tracker = Tracker(tracker_uuid)
@@ -805,6 +808,19 @@ def api_is_allowed_to_edit_tracker(tracker_uuid, user_id):
         return {"status": "error", "reason": "Access Denied"}, 403
     return {"uuid": tracker_uuid}, 200
 
+
+def api_is_allowed_to_access_tracker(tracker_uuid, user_id):
+    if not is_valid_uuid_v4(tracker_uuid):
+        return {"status": "error", "reason": "Invalid uuid"}, 400
+    tracker_creator = r_tracker.hget('tracker:{}'.format(tracker_uuid), 'user_id')
+    if not tracker_creator:
+        return {"status": "error", "reason": "Unknown uuid"}, 404
+    user = User(user_id)
+    if not is_tracker_global_level(tracker_uuid):
+        if not user.is_in_role('admin') and user_id != tracker_creator:
+            return {"status": "error", "reason": "Access Denied"}, 403
+    return {"uuid": tracker_uuid}, 200
+
 ##-- ACL --##
 
 #### FIX DB #### TODO ###################################################################
diff --git a/var/www/blueprints/hunters.py b/var/www/blueprints/hunters.py
index b619019b..20c68286 100644
--- a/var/www/blueprints/hunters.py
+++ b/var/www/blueprints/hunters.py
@@ -145,7 +145,7 @@ def tracked_menu_admin():
 def show_tracker():
     user_id = current_user.get_id()
     tracker_uuid = request.args.get('uuid', None)
-    res = Tracker.api_is_allowed_to_edit_tracker(tracker_uuid, user_id)
+    res = Tracker.api_is_allowed_to_access_tracker(tracker_uuid, user_id)
     if res[1] != 200:  # invalid access
         return Response(json.dumps(res[0], indent=2, sort_keys=True), mimetype='application/json'), res[1]