diff --git a/delivery2/server/routes/file.py b/delivery2/server/routes/file.py index 2d5e138..3ccbbd4 100644 --- a/delivery2/server/routes/file.py +++ b/delivery2/server/routes/file.py @@ -2,7 +2,7 @@ import json from flask import Blueprint, request, jsonify, send_file, Response -import utils +from utils import Perm, get_hex_from_temp_file, get_hash, check_valid_time from services import FileService, OrganizationService, UserService, SessionService file_bp = Blueprint("file", __name__) @@ -22,7 +22,7 @@ def file_get_content(file_handle: str): @file_bp.route("/get//metadata", methods=["GET"]) def file_get_metadata(document_handle: str): session_token = request.headers.get("Authorization") - session = SessionService.validate_session(session_token) + session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_READ]) if isinstance(session, tuple): return session @@ -41,7 +41,7 @@ def file_get_metadata(document_handle: str): def file_upload_metadata(): session_token = request.headers.get("Authorization") print(session_token) - session = SessionService.validate_session(session_token) + session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_NEW]) if isinstance(session, tuple): return session @@ -69,7 +69,7 @@ def file_upload_content(): if not session_token: return jsonify({"error": "No session token"}), 400 - session = SessionService.validate_session(session_token) + session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_NEW]) if isinstance(session, tuple): return session @@ -83,13 +83,13 @@ def file_upload_content(): if not file: return jsonify({"error": "Invalid file data"}), 400 - file_data = utils.get_hex_from_temp_file(file.stream) + file_data = get_hex_from_temp_file(file.stream) file_sum = request.headers.get("File-Checksum") if not file_sum: return jsonify({"error": "No file checksum provided"}), 400 - if file_sum != str(utils.get_hash(file_data)): + if file_sum != str(get_hash(file_data)): return jsonify({"error": "File checksum mismatch"}), 400 file = upload_service.write_file(session_token, file_sum, file_data) @@ -131,12 +131,12 @@ def file_list(): return jsonify({"error": "User not found"}), 404 files = FileService.list_files_in_org(org) return jsonify([file.to_dict() for file in files if file.creator_id == user.id and ( - utils.check_valid_time(file.created_at, datetime_value, datetime_relation) + check_valid_time(file.created_at, datetime_value, datetime_relation) if "datetime" in data else True )]) files = FileService.list_files_in_org(org) - return jsonify([file.to_dict() for file in files if (utils.check_valid_time(file.created_at, datetime_value, datetime_relation) if "datetime" in data else True)]) + return jsonify([file.to_dict() for file in files if (check_valid_time(file.created_at, datetime_value, datetime_relation) if "datetime" in data else True)]) @file_bp.route("/delete/", methods=["POST"]) @@ -145,7 +145,7 @@ def file_delete(document_handle: str): if not session_token: return jsonify({"error": "No session token"}), 400 - session = SessionService.validate_session(session_token) + session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_DELETE]) if isinstance(session, tuple): return session diff --git a/delivery2/server/routes/user.py b/delivery2/server/routes/user.py index cbda045..b343d5f 100644 --- a/delivery2/server/routes/user.py +++ b/delivery2/server/routes/user.py @@ -2,6 +2,7 @@ import json import utils from flask import Blueprint, request, jsonify from services import UserService, SessionService, OrganizationService +from utils import Perm user_bp = Blueprint("user", __name__) @@ -74,7 +75,7 @@ def user_create(): if not session_token: return jsonify({"error": "No session token"}), 400 - session = SessionService.validate_session(session_token) + session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_NEW]) if isinstance(session, tuple): return session @@ -108,7 +109,7 @@ def user_suspend(username): if not session_token: return jsonify({"error": "No session token"}), 400 - session = SessionService.validate_session(session_token) + session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_DOWN]) if isinstance(session, tuple): return session @@ -129,7 +130,7 @@ def user_unsuspend(username): if not session_token: return jsonify({"error": "No session token"}), 400 - session = SessionService.validate_session(session_token) + session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_UP]) if isinstance(session, tuple): return session diff --git a/delivery2/server/services/sessions.py b/delivery2/server/services/sessions.py index 515b934..b7411ee 100644 --- a/delivery2/server/services/sessions.py +++ b/delivery2/server/services/sessions.py @@ -33,7 +33,7 @@ class SessionService: db.commit() @staticmethod - def validate_session(token: str) -> tuple | Session: + def validate_session(token: str, required_perms: list[Perm] = None) -> tuple | Session: from services import OrganizationService if "Bearer" in token: @@ -51,6 +51,11 @@ class SessionService: if status != "active": return jsonify({"error": "User is not active"}), 403 + if required_perms: + for perm in required_perms: + if not SessionService.check_permission(session, perm): + return jsonify({"error": f"Permission denied, missing required permission: {perm}"}), 403 + return session @staticmethod