Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Make event-invoices endpoint admin only #7096

Merged
merged 4 commits into from
Jun 30, 2020
Merged

fix: Make event-invoices endpoint admin only #7096

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
915f90c
Remove decorators is_organizer and is_admin for event-invoices endpoint
Haider8 Jun 30, 2020
f65d1c7
Remove unused import
Haider8 Jun 30, 2020
bc59323
Make invoice list admin only
Haider8 Jun 30, 2020
a4982d8
fix deepsource issues and add requested changes
Haider8 Jun 30, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion app/api/event_invoices.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
import datetime

from flask import jsonify, request
from flask_jwt_extended import current_user
from flask_rest_jsonapi import ResourceDetail, ResourceList, ResourceRelationship

from app.api.bootstrap import api
from app.api.helpers.db import safe_query, safe_query_kwargs, save_to_db
from app.api.helpers.errors import BadRequestError
from app.api.helpers.errors import BadRequestError, ForbiddenError
from app.api.helpers.payment import PayPalPaymentsManager
from app.api.helpers.permissions import is_admin, jwt_required
from app.api.helpers.query import event_query
Expand Down Expand Up @@ -39,6 +40,10 @@ def query(self, view_kwargs):
:param view_kwargs:
:return:
"""
user = current_user
if not user.is_staff:
raise ForbiddenError({'source': ''}, 'Admin access is required')

query_ = self.session.query(EventInvoice)
query_ = event_query(query_, view_kwargs)
if view_kwargs.get('user_id'):
Expand Down
20 changes: 11 additions & 9 deletions app/api/helpers/permission_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ def auth_required(view, view_args, view_kwargs, *args, **kwargs):
def is_super_admin(view, view_args, view_kwargs, *args, **kwargs):
"""
Permission function for things allowed exclusively to super admin.
Do not use this if the resource is also accessible by a normal admin, use the is_admin decorator instead.
Do not use this if the resource is also accessible by a normal admin,
use the is_admin decorator instead.
:return:
"""
user = current_user
Expand Down Expand Up @@ -61,7 +62,8 @@ def is_organizer(view, view_args, view_kwargs, *args, **kwargs):
if user.is_staff:
return view(*view_args, **view_kwargs)

if user.is_owner(kwargs['event_id']) or user.is_organizer(kwargs['event_id']):
event_id = kwargs.get('event_id')
if event_id and (user.is_owner(event_id) or user.is_organizer(event_id)):
return view(*view_args, **view_kwargs)

raise ForbiddenError({'source': ''}, 'Organizer access is required')
Expand Down Expand Up @@ -94,7 +96,8 @@ def is_coorganizer_endpoint_related_to_event(
view, view_args, view_kwargs, *args, **kwargs
):
"""
If the authorization header is present (but expired) and the event being accessed is not published
If the authorization header is present (but expired)
and the eventbeing accessed is not published
- And the user is related to the event (organizer, co-organizer etc) show a 401
- Else show a 404

Expand Down Expand Up @@ -380,7 +383,7 @@ def permission_manager(view, view_args, view_kwargs, *args, **kwargs):
if 'id' in kwargs:
view_kwargs['id'] = kwargs['id']

if 'methods' in kwargs:
if kwargs.get('methods'):
methods = kwargs['methods']

if request.method not in methods:
Expand Down Expand Up @@ -452,16 +455,16 @@ def permission_manager(view, view_args, view_kwargs, *args, **kwargs):
fetch = kwargs['fetch']
fetch_key_url = 'id'
fetch_key_model = 'id'
if 'fetch_key_url' in kwargs:
if kwargs.get('fetch_key_url'):
fetch_key_url = kwargs['fetch_key_url']

if 'fetch_key_model' in kwargs:
if kwargs.get('fetch_key_model'):
fetch_key_model = kwargs['fetch_key_model']

if not is_multiple(model):
model = [model]

if type(fetch_key_url) == str and is_multiple(fetch_key_url):
if isinstance(fetch_key_url, str) and is_multiple(fetch_key_url):
fetch_key_url = fetch_key_url.split( # pytype: disable=attribute-error
","
)
Expand Down Expand Up @@ -505,8 +508,7 @@ def permission_manager(view, view_args, view_kwargs, *args, **kwargs):
raise NotFoundError({'source': ''}, 'Object not found.')
if args[0] in permissions:
return permissions[args[0]](view, view_args, view_kwargs, *args, **kwargs)
else:
raise ForbiddenError({'source': ''}, 'Access forbidden')
raise ForbiddenError({'source': ''}, 'Access forbidden')


def has_access(access_level, **kwargs):
Expand Down