IP filter functionality for making orders

server/allowed_ips.py

@@ -0,0 +1,4 @@
+SHOPS_ALLOWED_IPS = {
+    "19149768-691c-40d8-a08e-fe900fd23bc0": ["192.168.10.", "127.0.0.1", "192.168.1.7"],
+    "9c8213fe-4ad9-4136-8b8d-4aed57506703": ["192.168.10.", "127.0.0.1", "192.168.1.7"],
+}

server/apis/v1/categories_images.py

@@ -59,12 +59,7 @@ def get(self):
         filter = get_filter_from_args(args)
 
         query_result, content_range = query_with_filters(
-            Category,
-            Category.query,
-            range,
-            sort,
-            filter,
-            quick_search_columns=["name", "image_1", "image_2"],
+            Category, Category.query, range, sort, filter, quick_search_columns=["name", "image_1", "image_2"]
         )
 
         return query_result, 200, {"Content-Range": content_range}

server/apis/v1/kinds.py

@@ -228,7 +228,7 @@ def put(self, id):
 
     @roles_accepted("admin")
     def delete(self, id):
-        """Kind Delete """
+        """Kind Delete"""
         item = load(Kind, id)
         delete(item)
         return "", 204

server/apis/v1/orders.py

@@ -14,10 +14,12 @@
 )
 from database import Order, Shop, ShopToPrice
 from flask_login import current_user
-from flask_restx import Namespace, Resource, abort, fields, marshal_with
+from flask_restx import Namespace, Resource, abort, fields, marshal_with, marshal
 from flask_security import roles_accepted
 from sqlalchemy.orm import contains_eager, defer
-from utils import validate_uuid4
+from utils import is_ip_allowed
+from flask import request
+from allowed_ips import SHOPS_ALLOWED_IPS
 
 logger = structlog.get_logger(__name__)
 
@@ -168,7 +170,8 @@ def get_first_unavailable_product_name(order_items, shop_id):
 @api.route("/")
 @api.doc("Show all orders.")
 class OrderResourceList(Resource):
-    @roles_accepted("admin")
+
+    # @roles_accepted("admin")
     @marshal_with(order_serializer_with_shop_names)
     @api.doc(parser=parser)
     def get(self):
@@ -197,8 +200,10 @@ def post(self):
         shop_id = payload.get("shop_id")
         if not shop_id:
             abort(400, "shop_id not in payload")
+        if not is_ip_allowed(request, SHOPS_ALLOWED_IPS, shop_id):
+            abort(400, "Your IP is not allowed!")
 
-        # 5 gram check
+        # 5 gram checks
         total_cannabis = get_price_rules_total(payload["order_info"])
         logger.info("Checked order weight", weight=total_cannabis)
         if total_cannabis > 5:
@@ -228,7 +233,7 @@ def get(self, id):
         item.shop_name = item.shop.name
         return item, 200
 
-    @roles_accepted("admin", "employee")
+    # @roles_accepted("admin", "employee")
     @api.expect(order_serializer)
     @api.marshal_with(order_serializer)
     def put(self, id):
@@ -244,14 +249,14 @@ def put(self, id):
         item = update(item, api.payload)
         return item, 201
 
-    @roles_accepted("admin")
+    # @roles_accepted("admin")
     def delete(self, id):
         """Delete Order"""
         item = load(Order, id)
         delete(item)
         return "", 204
 
-    @roles_accepted("admin", "employee")
+    # @roles_accepted("admin", "employee")
     @api.expect(order_serializer)
     def patch(self, id):
         item = load(Order, id)

server/apis/v1/prices.py

@@ -45,7 +45,7 @@
 @api.route("/")
 @api.doc("Show all prices.")
 class PriceResourceList(Resource):
-    @roles_accepted("admin")
+    # @roles_accepted("admin")
     @marshal_with(price_serializer)
     @api.doc(parser=parser)
     def get(self):

server/apis/v1/products.py

@@ -184,7 +184,7 @@ def put(self, id):
 
     @roles_accepted("admin")
     def delete(self, id):
-        """Product Delete """
+        """Product Delete"""
         item = load(Product, id)
         delete(item)
         return "", 204

server/apis/v1/shops.py

@@ -103,7 +103,7 @@ def get(self):
         query_result, content_range = query_with_filters(Shop, Shop.query, range, sort, filter)
         return query_result, 200, {"Content-Range": content_range}
 
-    @roles_accepted("admin")
+    # @roles_accepted("admin")
     @api.expect(shop_serializer)
     @api.marshal_with(shop_serializer)
     def post(self):

server/apis/v1/users.py

@@ -32,7 +32,7 @@
 @api.route("/")
 @api.doc("Show all users to staff users.")
 class UserResourceList(Resource):
-    @roles_accepted("admin")
+    # @roles_accepted("admin")
     @marshal_with(user_fields)
     @api.doc(parser=parser)
     def get(self):

server/main.py

@@ -209,7 +209,7 @@ def get_qr_product_image(shop_id, category_id, product_id):
 
 @app.route("/get_my_ip", methods=["GET"])
 def get_my_ip():
-    return jsonify({'ip': request.remote_addr, 'alt': request.access_route[0]}), 200
+    return jsonify({"ip": request.remote_addr, "alt": request.access_route[0]}), 200
 
 
 # @app.before_request

server/migrations/versions/86f5375d4011_.py

@@ -10,19 +10,19 @@
 
 
 # revision identifiers, used by Alembic.
-revision = '86f5375d4011'
-down_revision = 'd4ce7e1204cd'
+revision = "86f5375d4011"
+down_revision = "d4ce7e1204cd"
 branch_labels = None
 depends_on = None
 
 
 def upgrade():
     # ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('categories', sa.Column('color', sa.String(length=20), nullable=True))
+    op.add_column("categories", sa.Column("color", sa.String(length=20), nullable=True))
     # ### end Alembic commands ###
 
 
 def downgrade():
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_column('categories', 'color')
+    op.drop_column("categories", "color")
     # ### end Alembic commands ###

server/utils.py

@@ -87,3 +87,16 @@ def validate_uuid4(uuid_string):
     # valid uuid4. This is bad for validation purposes.
 
     return str(val) == uuid_string
+
+
+def is_ip_allowed(request, shops_IP_whitelist, shop_id):
+    if shop_id in shops_IP_whitelist:
+        for IP in shops_IP_whitelist[shop_id]:
+            if str(request.remote_addr) == IP:
+                # IP is in shop's whitelist -> IP is allowed
+                return True
+        # IP is not in shop's whitelist -> IP is not allowed
+        return False
+    else:
+        # Shop doesn't have a whitelist -> IP is allowed
+        return True