X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=portal%2Faccountview.py;h=81935424b5c825c477e0603a8b76e148b4928ad2;hb=5b317ebfa26716bc4a4d0c761eb46a13c1d39353;hp=325796bce243e3b71702b3b7dd5fb7a46be24e7f;hpb=38deb95de7c5d9cad0dd75deb00b04971dbb01bc;p=unfold.git

diff --git a/portal/accountview.py b/portal/accountview.py
index 325796bc..81935424 100644
--- a/portal/accountview.py
+++ b/portal/accountview.py
@@ -38,6 +38,10 @@ class AccountView(LoginRequiredAutoLogoutView, ThemeView):
         page.add_js_files  ( [ "js/jquery.validate.js", "js/my_account.register.js", "js/my_account.edit_profile.js","js/jquery-ui.js" ] )
         page.add_css_files ( [ "css/onelab.css", "css/account_view.css","css/plugin.css" ] )
 
+        # Execute a Query to delegate credentials if necessary
+        sfa_user_query  = Query().get('myslice:user').select('user_hrn').filter_by('user_hrn','==','$user_hrn')
+        sfa_user_result = execute_query(self.request, sfa_user_query)
+
         user_query  = Query().get('local:user').select('config','email','status')
         user_details = execute_query(self.request, user_query)
         
@@ -261,10 +265,19 @@ def account_process(request):
     platform_query  = Query().get('local:platform').select('platform_id','platform')
     platform_details = execute_query(request, platform_query)
     
-    # getting the user_id from the session
-    for user_detail in user_details:
-            user_id = user_detail['user_id']
-            user_email = user_detail['email']
+    # getting the user_id from the session                                            
+    for user_detail in user_details:                                                  
+        user_id = user_detail['user_id']                                              
+        user_email = user_detail['email']                                             
+        try:
+            if user_email == request.user.email:                                          
+                authorize_query = True                                                    
+            else:                                                                         
+                print "SECURITY: %s tried to update %s" % (user_email, request.user.email)
+                messages.error(request, 'You are not authorized to modify another user.') 
+                return HttpResponseRedirect("/portal/account/")                               
+        except Exception,e:
+            print "Exception = %s" % e
 
     for account_detail in account_details:
         for platform_detail in platform_details:
@@ -385,7 +398,7 @@ def account_process(request):
                         # updating sfa
                         public_key = public_key.replace('"', '');
                         user_pub_key = {'keys': public_key}
-                        #sfa_update_user(request, user_hrn, user_pub_key)
+
                         sfa_update_user(request, user_hrn, user_pub_key)
                         result_sfa_user = sfa_get_user(request, user_hrn, public_key)
                         try:
@@ -400,6 +413,7 @@ def account_process(request):
                                 raise Exception,"Keys are not matching"
                         except Exception,e:
                             messages.error(request, 'Error: An error occured during the update of your public key at the Registry, or your public key is not matching the one stored.')
+                            print "Exception in accountview ", e
                         return HttpResponseRedirect("/portal/account/")
         else:
             messages.error(request, 'Account error: You need an account in myslice platform to perform this action')