diff options
Diffstat (limited to 'sugar_network/node/commands.py')
-rw-r--r-- | sugar_network/node/commands.py | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sugar_network/node/commands.py b/sugar_network/node/commands.py index 47d4c82..ae63305 100644 --- a/sugar_network/node/commands.py +++ b/sugar_network/node/commands.py @@ -95,10 +95,13 @@ class NodeCommands(VolumeCommands, Commands): 'User is not authenticated') if cmd.permissions & ad.ACCESS_AUTHOR and 'guid' in request: - doc = self.volume[request['document']].get(request['guid']) - enforce(request.principal in doc['user'] or - auth.try_validate(request, 'root'), ad.Forbidden, - 'Operation is permitted only for authors') + if request['document'] == 'user': + allowed = (request.principal == request['guid']) + else: + doc = self.volume[request['document']].get(request['guid']) + allowed = (request.principal in doc['user']) + enforce(allowed or auth.try_validate(request, 'root'), + ad.Forbidden, 'Operation is permitted only for authors') return cmd |