diff --git a/src/ims/application/_api.py b/src/ims/application/_api.py index 78d575d62..beda473a8 100644 --- a/src/ims/application/_api.py +++ b/src/ims/application/_api.py @@ -225,8 +225,9 @@ async def personnelResource( """ Personnel endpoint. """ + eventId = queryValue(request, "event_id") await self.config.authProvider.authorizeRequest( - request, None, Authorization.readPersonnel + request, eventId, Authorization.readPersonnel ) stream, etag = await self.personnelData() diff --git a/src/ims/auth/_provider.py b/src/ims/auth/_provider.py index 838432ef7..2e5683f93 100644 --- a/src/ims/auth/_provider.py +++ b/src/ims/auth/_provider.py @@ -397,8 +397,6 @@ async def authorizationsForUser( authorizations = Authorization.none if user is not None: - authorizations |= Authorization.readPersonnel - for shortName in user.shortNames: if shortName in self.adminUsers: authorizations |= Authorization.imsAdmin @@ -410,12 +408,14 @@ async def authorizationsForUser( authorizations |= Authorization.writeIncidents authorizations |= Authorization.readIncidents authorizations |= Authorization.writeIncidentReports + authorizations |= Authorization.readPersonnel else: if self._matchACL( user, frozenset(await self.store.readers(eventID)) ): authorizations |= Authorization.readIncidents + authorizations |= Authorization.readPersonnel if self._matchACL( user, diff --git a/src/ims/element/static/incident.js b/src/ims/element/static/incident.js index c6ea63c72..78b177559 100644 --- a/src/ims/element/static/incident.js +++ b/src/ims/element/static/incident.js @@ -244,7 +244,7 @@ function loadPersonnel(success) { setErrorMessage(message); } - jsonRequest(url_personnel, null, ok, fail); + jsonRequest(urlReplace(url_personnel + "?event_id="), null, ok, fail); }