Merge branch 'develop' of github.com:ComputerScienceHouse/packet into develop

5 files changed, 33 insertions, 11 deletions

diff --git a/packet/__init__.py b/packet/__init__.py
index 82e2119..85102f5 100644
--- a/packet/__init__.py
+++ b/packet/__init__.py
@@ -7,7 +7,7 @@ import logging
 import os
 
 import csh_ldap
-import onesignal_sdk.client as onesignal
+import onesignal
 from flask import Flask
 from flask_gzip import Gzip
 from flask_migrate import Migrate
@@ -57,7 +57,7 @@ if app.config['ONESIGNAL_USER_AUTH_KEY'] and \
    app.config['ONESIGNAL_CSH_APP_ID']:
     csh_onesignal_client = onesignal.Client(
         user_auth_key=app.config['ONESIGNAL_USER_AUTH_KEY'],
-        rest_api_key=app.config['ONESIGNAL_CSH_APP_AUTH_KEY'],
+        app_auth_key=app.config['ONESIGNAL_CSH_APP_AUTH_KEY'],
         app_id=app.config['ONESIGNAL_CSH_APP_ID']
     )
     app.logger.info('CSH Onesignal configured and notifications enabled')
@@ -68,7 +68,7 @@ if app.config['ONESIGNAL_USER_AUTH_KEY'] and \
    app.config['ONESIGNAL_INTRO_APP_ID']:
     intro_onesignal_client = onesignal.Client(
         user_auth_key=app.config['ONESIGNAL_USER_AUTH_KEY'],
-        rest_api_key=app.config['ONESIGNAL_INTRO_APP_AUTH_KEY'],
+        app_auth_key=app.config['ONESIGNAL_INTRO_APP_AUTH_KEY'],
         app_id=app.config['ONESIGNAL_INTRO_APP_ID']
     )
     app.logger.info('Intro Onesignal configured and notifications enabled')
diff --git a/packet/notifications.py b/packet/notifications.py
index dea47d8..c665125 100644
--- a/packet/notifications.py
+++ b/packet/notifications.py
@@ -1,7 +1,7 @@
 from datetime import datetime
 from typing import Any, Callable, TypeVar, cast
 
-import onesignal_sdk.client as onesignal
+import onesignal
 
 from packet import app, intro_onesignal_client, csh_onesignal_client
 from packet.models import NotificationSubscription, Packet
diff --git a/packet/routes/api.py b/packet/routes/api.py
index 21d9f0d..c364962 100644
--- a/packet/routes/api.py
+++ b/packet/routes/api.py
@@ -96,10 +96,14 @@ def sync_ldap():
 
 @app.route('/api/v1/packets/<username>', methods=['GET'])
 @packet_auth
-def get_packets_by_user(username: str) -> dict:
+@before_request
+def get_packets_by_user(username: str, info=None) -> dict:
     """
     Return a dictionary of packets for a freshman by username, giving packet start and end date by packet id
     """
+
+    if info['ritdn'] != username:
+        return 'Forbidden - not your packet', 403
     frosh = Freshman.by_username(username)
 
     return {packet.id: {
@@ -110,10 +114,15 @@ def get_packets_by_user(username: str) -> dict:
 
 @app.route('/api/v1/packets/<username>/newest', methods=['GET'])
 @packet_auth
-def get_newest_packet_by_user(username: str) -> dict:
+@before_request
+def get_newest_packet_by_user(username: str, info=None) -> dict:
     """
     Return a user's newest packet
     """
+
+    if not info['is_upper'] and info['ritdn'] != username:
+        return 'Forbidden - not your packet', 403
+
     frosh = Freshman.by_username(username)
 
     packet = frosh.packets[-1]
@@ -130,13 +139,17 @@ def get_newest_packet_by_user(username: str) -> dict:
 
 @app.route('/api/v1/packet/<packet_id>', methods=['GET'])
 @packet_auth
-def get_packet_by_id(packet_id: int) -> dict:
+@before_request
+def get_packet_by_id(packet_id: int, info=None) -> dict:
     """
     Return the scores of the packet in question
     """
 
     packet = Packet.by_id(packet_id)
 
+    if not info['is_upper'] and info['ritdn'] != packet.freshman.rit_username:
+        return 'Forbidden - not your packet', 403
+
     return {
         'required': vars(packet.signatures_required()),
         'received': vars(packet.signatures_received()),
@@ -198,13 +211,20 @@ def report(info):
 
 @app.route('/api/v1/stats/packet/<packet_id>')
 @packet_auth
-def packet_stats(packet_id):
+@before_request
+def packet_stats(packet_id, info=None):
+    if not info['is_upper'] and info['ritdn'] != Packet.by_id(packet_id).freshman.rit_username:
+        return 'Forbidden - not your packet', 403
     return stats.packet_stats(packet_id)
 
 
 @app.route('/api/v1/stats/upperclassman/<uid>')
 @packet_auth
-def upperclassman_stats(uid):
+@before_request
+def upperclassman_stats(uid, info=None):
+    if not info['is_upper']:
+        return 'Forbidden', 403
+
     return stats.upperclassman_stats(uid)
 
 
diff --git a/packet/templates/active_packets.html b/packet/templates/active_packets.html
index 343649a..bd8fdc3 100644
--- a/packet/templates/active_packets.html
+++ b/packet/templates/active_packets.html
@@ -112,5 +112,7 @@
 
 {% block scripts %}
     {{ super() }}
-    <script src="{{ url_for('static', filename='js/tables.min.js') }}"></script>
+    {% if info.realm == "csh" %}
+        <script src="{{ url_for('static', filename='js/tables.min.js') }}"></script>
+    {% endif %}
 {% endblock %}
diff --git a/requirements.txt b/requirements.txt
index 4b0024a..33c1bbe 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,7 +8,7 @@ ddtrace
 flask_sqlalchemy~=2.5.1
 gunicorn~=20.0.4
 mypy
-onesignal-sdk~=2.0.0
+onesignal-sdk~=1.0.0
 psycopg2-binary~=2.8.6
 pylint-quotes~=0.2.1
 pylint~=2.7.2