Permission check for already implemented functions
Signed-off-by: Tiago Garcia <tiago.rgarcia@ua.pt>
This commit is contained in:
parent
17cbf845c7
commit
5e21a77c5d
GPG Key ID:
DFCD48E3F420DB42
|
|
@ -2,7 +2,7 @@ import json
|
|||
|
||||
from flask import Blueprint, request, jsonify, send_file, Response
|
||||
|
||||
import utils
|
||||
from utils import Perm, get_hex_from_temp_file, get_hash, check_valid_time
|
||||
from services import FileService, OrganizationService, UserService, SessionService
|
||||
|
||||
file_bp = Blueprint("file", __name__)
|
||||
|
|
@ -22,7 +22,7 @@ def file_get_content(file_handle: str):
|
|||
@file_bp.route("/get/<string:document_handle>/metadata", methods=["GET"])
|
||||
def file_get_metadata(document_handle: str):
|
||||
session_token = request.headers.get("Authorization")
|
||||
session = SessionService.validate_session(session_token)
|
||||
session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_READ])
|
||||
if isinstance(session, tuple):
|
||||
return session
|
||||
|
||||
|
|
@ -41,7 +41,7 @@ def file_get_metadata(document_handle: str):
|
|||
def file_upload_metadata():
|
||||
session_token = request.headers.get("Authorization")
|
||||
print(session_token)
|
||||
session = SessionService.validate_session(session_token)
|
||||
session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_NEW])
|
||||
if isinstance(session, tuple):
|
||||
return session
|
||||
|
||||
|
|
@ -69,7 +69,7 @@ def file_upload_content():
|
|||
if not session_token:
|
||||
return jsonify({"error": "No session token"}), 400
|
||||
|
||||
session = SessionService.validate_session(session_token)
|
||||
session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_NEW])
|
||||
if isinstance(session, tuple):
|
||||
return session
|
||||
|
||||
|
|
@ -83,13 +83,13 @@ def file_upload_content():
|
|||
if not file:
|
||||
return jsonify({"error": "Invalid file data"}), 400
|
||||
|
||||
file_data = utils.get_hex_from_temp_file(file.stream)
|
||||
file_data = get_hex_from_temp_file(file.stream)
|
||||
|
||||
file_sum = request.headers.get("File-Checksum")
|
||||
if not file_sum:
|
||||
return jsonify({"error": "No file checksum provided"}), 400
|
||||
|
||||
if file_sum != str(utils.get_hash(file_data)):
|
||||
if file_sum != str(get_hash(file_data)):
|
||||
return jsonify({"error": "File checksum mismatch"}), 400
|
||||
|
||||
file = upload_service.write_file(session_token, file_sum, file_data)
|
||||
|
|
@ -131,12 +131,12 @@ def file_list():
|
|||
return jsonify({"error": "User not found"}), 404
|
||||
files = FileService.list_files_in_org(org)
|
||||
return jsonify([file.to_dict() for file in files if file.creator_id == user.id and (
|
||||
utils.check_valid_time(file.created_at, datetime_value, datetime_relation)
|
||||
check_valid_time(file.created_at, datetime_value, datetime_relation)
|
||||
if "datetime" in data else True
|
||||
)])
|
||||
|
||||
files = FileService.list_files_in_org(org)
|
||||
return jsonify([file.to_dict() for file in files if (utils.check_valid_time(file.created_at, datetime_value, datetime_relation) if "datetime" in data else True)])
|
||||
return jsonify([file.to_dict() for file in files if (check_valid_time(file.created_at, datetime_value, datetime_relation) if "datetime" in data else True)])
|
||||
|
||||
|
||||
@file_bp.route("/delete/<string:document_handle>", methods=["POST"])
|
||||
|
|
@ -145,7 +145,7 @@ def file_delete(document_handle: str):
|
|||
if not session_token:
|
||||
return jsonify({"error": "No session token"}), 400
|
||||
|
||||
session = SessionService.validate_session(session_token)
|
||||
session = SessionService.validate_session(session_token, required_perms=[Perm.DOC_DELETE])
|
||||
if isinstance(session, tuple):
|
||||
return session
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ import json
|
|||
import utils
|
||||
from flask import Blueprint, request, jsonify
|
||||
from services import UserService, SessionService, OrganizationService
|
||||
from utils import Perm
|
||||
|
||||
user_bp = Blueprint("user", __name__)
|
||||
|
||||
|
|
@ -74,7 +75,7 @@ def user_create():
|
|||
if not session_token:
|
||||
return jsonify({"error": "No session token"}), 400
|
||||
|
||||
session = SessionService.validate_session(session_token)
|
||||
session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_NEW])
|
||||
if isinstance(session, tuple):
|
||||
return session
|
||||
|
||||
|
|
@ -108,7 +109,7 @@ def user_suspend(username):
|
|||
if not session_token:
|
||||
return jsonify({"error": "No session token"}), 400
|
||||
|
||||
session = SessionService.validate_session(session_token)
|
||||
session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_DOWN])
|
||||
if isinstance(session, tuple):
|
||||
return session
|
||||
|
||||
|
|
@ -129,7 +130,7 @@ def user_unsuspend(username):
|
|||
if not session_token:
|
||||
return jsonify({"error": "No session token"}), 400
|
||||
|
||||
session = SessionService.validate_session(session_token)
|
||||
session = SessionService.validate_session(session_token, required_perms=[Perm.SUBJECT_UP])
|
||||
if isinstance(session, tuple):
|
||||
return session
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ class SessionService:
|
|||
db.commit()
|
||||
|
||||
@staticmethod
|
||||
def validate_session(token: str) -> tuple | Session:
|
||||
def validate_session(token: str, required_perms: list[Perm] = None) -> tuple | Session:
|
||||
from services import OrganizationService
|
||||
|
||||
if "Bearer" in token:
|
||||
|
|
@ -51,6 +51,11 @@ class SessionService:
|
|||
if status != "active":
|
||||
return jsonify({"error": "User is not active"}), 403
|
||||
|
||||
if required_perms:
|
||||
for perm in required_perms:
|
||||
if not SessionService.check_permission(session, perm):
|
||||
return jsonify({"error": f"Permission denied, missing required permission: {perm}"}), 403
|
||||
|
||||
return session
|
||||
|
||||
@staticmethod
|
||||
|
|
|
|||
Loading…
Reference in New Issue