From 4cb5535fde44b0806d9a1b2c5350a9d44ffd00c9 Mon Sep 17 00:00:00 2001 From: William De Rocco <93288641+wderocco8@users.noreply.github.com> Date: Sun, 4 Aug 2024 12:43:34 -0400 Subject: [PATCH 1/2] swapped order of decorators in api (need to check auth before handling exceptions --> otherwise user will not get 401 error even if they're unauthenticated) --- chalicelib/api/events_rush.py | 4 +++- chalicelib/api/listings.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/chalicelib/api/events_rush.py b/chalicelib/api/events_rush.py index 8159289..7d62ca5 100644 --- a/chalicelib/api/events_rush.py +++ b/chalicelib/api/events_rush.py @@ -1,12 +1,14 @@ from chalice import Blueprint from chalicelib.decorators import auth from chalicelib.services.EventsRushService import events_rush_service +from chalicelib.models.roles import Roles + events_rush_api = Blueprint(__name__) @events_rush_api.route("/events/rush", methods=["GET"], cors=True) -@auth(events_rush_api, roles=["admin"]) +@auth(events_rush_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_rush_events(): return events_rush_service.get_rush_categories_and_events() diff --git a/chalicelib/api/listings.py b/chalicelib/api/listings.py index f9d58f6..482f24f 100644 --- a/chalicelib/api/listings.py +++ b/chalicelib/api/listings.py @@ -55,8 +55,8 @@ def toggle_visibility(id): @listings_api.route("/listings/{id}/update-field", methods=["PATCH"], cors=True) -@handle_exceptions @auth(listings_api, roles=[Roles.ADMIN, Roles.MEMBER]) +@handle_exceptions def update_listing_field_route(id): try: return listing_service.update_field_route( From 5a649a47a4babfd29905928fa41fc314916b8f3c Mon Sep 17 00:00:00 2001 From: William De Rocco <93288641+wderocco8@users.noreply.github.com> Date: Sun, 4 Aug 2024 12:52:09 -0400 Subject: [PATCH 2/2] adjusted roles to use Roles object --- chalicelib/api/accountability.py | 3 ++- chalicelib/api/events_member.py | 21 +++++++++++---------- chalicelib/api/events_rush.py | 11 ++++++----- chalicelib/api/members.py | 4 ++-- 4 files changed, 21 insertions(+), 18 deletions(-) diff --git a/chalicelib/api/accountability.py b/chalicelib/api/accountability.py index 464c148..e82c988 100644 --- a/chalicelib/api/accountability.py +++ b/chalicelib/api/accountability.py @@ -1,12 +1,13 @@ from chalice import Blueprint from chalicelib.decorators import auth from chalicelib.services.AccountabilityService import accountability_service +from chalicelib.models.roles import Roles accountability_api = Blueprint(__name__) @accountability_api.route("/accountability", methods=["GET"], cors=True) -@auth(accountability_api, roles=["admin"]) +@auth(accountability_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_accountability(): if accountability_api.current_request.query_params: page = int(accountability_api.current_request.query_params.get("page", 0)) diff --git a/chalicelib/api/events_member.py b/chalicelib/api/events_member.py index 9ea805e..cba9fad 100644 --- a/chalicelib/api/events_member.py +++ b/chalicelib/api/events_member.py @@ -1,68 +1,69 @@ from chalice import Blueprint from chalicelib.decorators import auth from chalicelib.services.EventsMemberService import events_member_service +from chalicelib.models.roles import Roles events_member_api = Blueprint(__name__) @events_member_api.route("/timeframes", methods=["POST"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN]) def create_timeframe(): data = events_member_api.current_request.json_body return events_member_service.create_timeframe(data) @events_member_api.route("/timeframes", methods=["GET"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_all_timeframes(): return events_member_service.get_all_timeframes() @events_member_api.route("/timeframes/{timeframe_id}", methods=["GET"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_timeframe(timeframe_id: str): return events_member_service.get_timeframe(timeframe_id) @events_member_api.route("/timeframes/{timeframe_id}", methods=["DELETE"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN]) def delete_timeframe(timeframe_id: str): return events_member_service.delete_timeframe(timeframe_id) @events_member_api.route("/timeframes/{timeframe_id}/events", methods=["POST"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN]) def create_event(timeframe_id: str): data = events_member_api.current_request.json_body return events_member_service.create_event(timeframe_id, data) @events_member_api.route("/events/{event_id}", methods=["GET"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_event(event_id: str): return events_member_service.get_event(event_id) @events_member_api.route("/timeframes/{timeframe_id}/sheets", methods=["GET"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_timeframe_sheets(timeframe_id: str): return events_member_service.get_timeframe_sheets(timeframe_id) @events_member_api.route("/events/{event_id}/checkin", methods=["POST"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN, Roles.MEMBER]) def checkin(event_id: str): data = events_member_api.current_request.json_body return events_member_service.checkin(event_id, data) @events_member_api.route("/events/{event_id}", methods=["PATCH"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN]) def update_event(event_id: str): pass @events_member_api.route("/events/{event_id}", methods=["DELETE"], cors=True) -@auth(events_member_api, roles=["admin"]) +@auth(events_member_api, roles=[Roles.ADMIN]) def delete_event(event_id: str): return events_member_service.delete(event_id) \ No newline at end of file diff --git a/chalicelib/api/events_rush.py b/chalicelib/api/events_rush.py index 7d62ca5..44191c6 100644 --- a/chalicelib/api/events_rush.py +++ b/chalicelib/api/events_rush.py @@ -19,27 +19,27 @@ def get_rush_event(event_id): @events_rush_api.route("/events/rush/category", methods=["POST"], cors=True) -@auth(events_rush_api, roles=["admin"]) +@auth(events_rush_api, roles=[Roles.ADMIN]) def create_rush_category(): data = events_rush_api.current_request.json_body return events_rush_service.create_rush_category(data) @events_rush_api.route("/events/rush", methods=["POST"], cors=True) -@auth(events_rush_api, roles=["admin"]) +@auth(events_rush_api, roles=[Roles.ADMIN]) def create_rush_event(): data = events_rush_api.current_request.json_body return events_rush_service.create_rush_event(data) @events_rush_api.route("/events/rush", methods=["PATCH"], cors=True) -@auth(events_rush_api, roles=["admin"]) +@auth(events_rush_api, roles=[Roles.ADMIN]) def modify_rush_event(): data = events_rush_api.current_request.json_body return events_rush_service.modify_rush_event(data) @events_rush_api.route("/events/rush/settings", methods=["PATCH"], cors=True) -@auth(events_rush_api, roles=["admin"]) +@auth(events_rush_api, roles=[Roles.ADMIN]) def modify_rush_settings(): data = events_rush_api.current_request.json_body return events_rush_service.modify_rush_settings(data) @@ -58,11 +58,12 @@ def get_rush_events_default_category(): @events_rush_api.route("/events/rush/{event_id}", methods=["DELETE"], cors=True) +@auth(events_rush_api, roles=[Roles.ADMIN]) def delete_rush_event(event_id): return events_rush_service.delete_rush_event(event_id) @events_rush_api.route("/events/rush/{category_id}/analytics", methods=["GET"], cors=True) -@auth(events_rush_api, roles=["admin"]) +@auth(events_rush_api, roles=[Roles.ADMIN]) def get_rush_category_analytics(category_id): return events_rush_service.get_rush_category_analytics(category_id=category_id) \ No newline at end of file diff --git a/chalicelib/api/members.py b/chalicelib/api/members.py index 57b3f32..6300ebf 100644 --- a/chalicelib/api/members.py +++ b/chalicelib/api/members.py @@ -7,7 +7,7 @@ @members_api.route("/member/{user_id}", methods=["GET"], cors=True) -@auth(members_api, roles=["admin", "member"]) +@auth(members_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_member(user_id): member = member_service.get_by_id(user_id) return member if member else {} @@ -23,7 +23,7 @@ def update_member(user_id): @members_api.route("/members", methods=["GET"], cors=True) -@auth(members_api, roles=["admin", "member"]) +@auth(members_api, roles=[Roles.ADMIN, Roles.MEMBER]) def get_all_members(): """Fetches all members who have access to WhyPhi.""" return member_service.get_all()