Spaces:
Sleeping
Sleeping
dhruv575 commited on
Commit ·
62ea624
1
Parent(s): bacb197
Cooked
Browse files
controllers/incident_controller.py
CHANGED
|
@@ -76,7 +76,18 @@ def process_incident_sync(current_user, incident_id):
|
|
| 76 |
return jsonify({'message': 'Incident not found'}), 404
|
| 77 |
|
| 78 |
# Check if user has permission to process this incident
|
| 79 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 80 |
return jsonify({'message': 'You do not have permission to process this incident'}), 403
|
| 81 |
|
| 82 |
# Get the workflow for this incident
|
|
|
|
| 76 |
return jsonify({'message': 'Incident not found'}), 404
|
| 77 |
|
| 78 |
# Check if user has permission to process this incident
|
| 79 |
+
# An Admin can process any incident in their department.
|
| 80 |
+
# A regular user can only process their own incidents.
|
| 81 |
+
is_admin = current_user.permissions == 'Admin'
|
| 82 |
+
is_owner = str(incident.user_id) == str(current_user._id)
|
| 83 |
+
in_department = str(incident.department_id) == str(current_user.department_id)
|
| 84 |
+
|
| 85 |
+
# Check permissions based on role
|
| 86 |
+
if not in_department:
|
| 87 |
+
# Should generally not happen if incidents are fetched correctly, but good failsafe
|
| 88 |
+
return jsonify({'message': 'Cannot process incidents outside your department'}), 403
|
| 89 |
+
|
| 90 |
+
if not is_admin and not is_owner:
|
| 91 |
return jsonify({'message': 'You do not have permission to process this incident'}), 403
|
| 92 |
|
| 93 |
# Get the workflow for this incident
|