- raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record['name'])
-
- # TODO: Check permission that self.client_cred can access the object
+ raise PermissionError(object_hrn + " has no rights to " + record['name'])
+
+ # make sure origin caller is either the caller or a child of the caller
+ if not origin_hrn.startswith(caller_hrn):
+ raise PermissionError("origin caller (%s) is not a child of actual caller (%s)" % (origin_hrn, caller_hrn)