This commit is contained in:
parent
77dddedae6
commit
7746d1992f
|
|
@ -32,6 +32,7 @@ async def get_shouts_drafts(_, info):
|
|||
joinedload(Shout.topics),
|
||||
)
|
||||
.filter(and_(Shout.deleted_at.is_(None), Shout.created_by == author.id))
|
||||
.filter(Shout.published_at.is_(None))
|
||||
.group_by(Shout.id)
|
||||
)
|
||||
shouts = [shout for [shout] in session.execute(q).unique()]
|
||||
|
|
@ -161,6 +162,7 @@ def patch_topics(session, shout, topics_input):
|
|||
@login_required
|
||||
async def update_shout(_, info, shout_id, shout_input=None, publish=False):
|
||||
user_id = info.context['user_id']
|
||||
roles = info.context['roles']
|
||||
if not shout_input:
|
||||
shout_input = {}
|
||||
with local_session() as session:
|
||||
|
|
@ -178,7 +180,7 @@ async def update_shout(_, info, shout_id, shout_input=None, publish=False):
|
|||
)
|
||||
if not shout:
|
||||
return {'error': 'shout not found'}
|
||||
if shout.created_by is not author.id and author.id not in shout.authors:
|
||||
if shout.created_by is not author.id and author.id not in shout.authors and 'editor' not in roles:
|
||||
return {'error': 'access denied'}
|
||||
|
||||
# topics patch
|
||||
|
|
@ -215,13 +217,14 @@ async def update_shout(_, info, shout_id, shout_input=None, publish=False):
|
|||
@login_required
|
||||
async def delete_shout(_, info, shout_id):
|
||||
user_id = info.context['user_id']
|
||||
roles = info.context['roles']
|
||||
with local_session() as session:
|
||||
author = session.query(Author).filter(Author.user == user_id).first()
|
||||
shout = session.query(Shout).filter(Shout.id == shout_id).first()
|
||||
if not shout:
|
||||
return {'error': 'invalid shout id'}
|
||||
if author and shout:
|
||||
if shout.created_by is not author.id and author.id not in shout.authors:
|
||||
if shout.created_by is not author.id and author.id not in shout.authors and 'editor' not in roles:
|
||||
return {'error': 'access denied'}
|
||||
|
||||
for author_id in shout.authors:
|
||||
|
|
|
|||
|
|
@ -212,6 +212,8 @@ async def create_reaction(_, info, reaction):
|
|||
@login_required
|
||||
async def update_reaction(_, info, rid, reaction):
|
||||
user_id = info.context['user_id']
|
||||
roles = info.context['roles']
|
||||
if user_id and roles:
|
||||
with local_session() as session:
|
||||
q = select(Reaction).filter(Reaction.id == rid)
|
||||
aliased_reaction = aliased(Reaction)
|
||||
|
|
@ -224,7 +226,7 @@ async def update_reaction(_, info, rid, reaction):
|
|||
return {'error': 'invalid reaction id'}
|
||||
author = session.query(Author).filter(Author.user == user_id).first()
|
||||
if author:
|
||||
if r.created_by != author.id:
|
||||
if r.created_by != author.id and 'editor' not in roles:
|
||||
return {'error': 'access denied'}
|
||||
body = reaction.get('body')
|
||||
if body:
|
||||
|
|
@ -253,13 +255,14 @@ async def update_reaction(_, info, rid, reaction):
|
|||
@login_required
|
||||
async def delete_reaction(_, info, reaction_id):
|
||||
user_id = info.context['user_id']
|
||||
roles = info.context['roles']
|
||||
with local_session() as session:
|
||||
r = session.query(Reaction).filter(Reaction.id == reaction_id).first()
|
||||
if not r:
|
||||
return {'error': 'invalid reaction id'}
|
||||
author = session.query(Author).filter(Author.user == user_id).first()
|
||||
if author:
|
||||
if r.created_by is author.id:
|
||||
if r.created_by is author.id and 'editor' not in roles:
|
||||
return {'error': 'access denied'}
|
||||
|
||||
if r.kind in [ReactionKind.LIKE.value, ReactionKind.DISLIKE.value]:
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ async def request_data(gql, headers=None):
|
|||
return None
|
||||
|
||||
|
||||
async def check_auth(req) -> str | None:
|
||||
async def check_auth(req):
|
||||
token = req.headers.get('Authorization')
|
||||
user_id = ''
|
||||
if token:
|
||||
|
|
@ -55,8 +55,10 @@ async def check_auth(req) -> str | None:
|
|||
}
|
||||
data = await request_data(gql)
|
||||
if data:
|
||||
user_id = data.get('data', {}).get(query_name, {}).get('claims', {}).get('sub')
|
||||
return user_id
|
||||
user_data = data.get('data', {}).get(query_name, {}).get('claims', {})
|
||||
user_id = user_data.get('sub')
|
||||
user_roles = user_data.get('allowed_roles')
|
||||
return [user_id, user_roles]
|
||||
|
||||
if not user_id:
|
||||
raise HTTPException(status_code=401, detail='Unauthorized')
|
||||
|
|
@ -88,9 +90,11 @@ def login_required(f):
|
|||
info = args[1]
|
||||
context = info.context
|
||||
req = context.get('request')
|
||||
user_id = await check_auth(req)
|
||||
if user_id:
|
||||
[user_id, user_roles] = (await check_auth(req)) or []
|
||||
if user_id and user_roles:
|
||||
logger.info(f' got {user_id} roles: {user_roles}')
|
||||
context['user_id'] = user_id.strip()
|
||||
context['roles'] = user_roles
|
||||
return await f(*args, **kwargs)
|
||||
|
||||
return decorated_function
|
||||
|
|
@ -100,9 +104,10 @@ def auth_request(f):
|
|||
@wraps(f)
|
||||
async def decorated_function(*args, **kwargs):
|
||||
req = args[0]
|
||||
user_id = await check_auth(req)
|
||||
[user_id, user_roles] = (await check_auth(req)) or []
|
||||
if user_id:
|
||||
req['user_id'] = user_id.strip()
|
||||
req['roles'] = user_roles
|
||||
return await f(*args, **kwargs)
|
||||
|
||||
return decorated_function
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user