API crashes if user and group is embedded in GET to groupmemberships
Created by: cburchert
The auth functions assume that item['user'] in returned objects from the database are object ids. However with embedding this is not the case. One example is here:
def has_item_write_permission(self, user_id, item):
"""The group moderator and the member can change an enrollment."""
if user_id == str(item['user']):
# Own membership can be modified
return True
else:
# Check if moderator
# Note: Group must exist, otherwise membership would not exist
# Furthermore user_id can't be None so if there is no moderator
# we will correctly return False
collection = current_app.data.driver.db['groups']
group = collection.find_one({'_id': item['group']},
{'moderator': 1})
return user_id == str(group.get('moderator'))
item['user'] and item['group'] can both be objects if they are embedded via embedded clause in the query. Then this function crashes.
Similar constructs are also in other functions.