diff options
| author | Galen Guyer <galen@galenguyer.com> | 2021-09-02 20:37:13 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-09-02 20:37:13 -0400 |
| commit | e88a48aaf9fe446aae83cd3559af1c7a6ed4d921 (patch) | |
| tree | 9034a4240b6a06bda3182c249ac254c4aabf01b1 | |
| parent | f61cd2b5b616e3b7f35fad95b515313ea2d50bcb (diff) | |
| parent | 5c48ae09d6bb7551073360b8c2ebe239cff2fd49 (diff) | |
Merge pull request #295 from ComputerScienceHouse/api-auth
protect api routes from freshmen
| -rw-r--r-- | packet/routes/api.py | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/packet/routes/api.py b/packet/routes/api.py index 21d9f0d..c364962 100644 --- a/packet/routes/api.py +++ b/packet/routes/api.py @@ -96,10 +96,14 @@ def sync_ldap(): @app.route('/api/v1/packets/<username>', methods=['GET']) @packet_auth -def get_packets_by_user(username: str) -> dict: +@before_request +def get_packets_by_user(username: str, info=None) -> dict: """ Return a dictionary of packets for a freshman by username, giving packet start and end date by packet id """ + + if info['ritdn'] != username: + return 'Forbidden - not your packet', 403 frosh = Freshman.by_username(username) return {packet.id: { @@ -110,10 +114,15 @@ def get_packets_by_user(username: str) -> dict: @app.route('/api/v1/packets/<username>/newest', methods=['GET']) @packet_auth -def get_newest_packet_by_user(username: str) -> dict: +@before_request +def get_newest_packet_by_user(username: str, info=None) -> dict: """ Return a user's newest packet """ + + if not info['is_upper'] and info['ritdn'] != username: + return 'Forbidden - not your packet', 403 + frosh = Freshman.by_username(username) packet = frosh.packets[-1] @@ -130,13 +139,17 @@ def get_newest_packet_by_user(username: str) -> dict: @app.route('/api/v1/packet/<packet_id>', methods=['GET']) @packet_auth -def get_packet_by_id(packet_id: int) -> dict: +@before_request +def get_packet_by_id(packet_id: int, info=None) -> dict: """ Return the scores of the packet in question """ packet = Packet.by_id(packet_id) + if not info['is_upper'] and info['ritdn'] != packet.freshman.rit_username: + return 'Forbidden - not your packet', 403 + return { 'required': vars(packet.signatures_required()), 'received': vars(packet.signatures_received()), @@ -198,13 +211,20 @@ def report(info): @app.route('/api/v1/stats/packet/<packet_id>') @packet_auth -def packet_stats(packet_id): +@before_request +def packet_stats(packet_id, info=None): + if not info['is_upper'] and info['ritdn'] != Packet.by_id(packet_id).freshman.rit_username: + return 'Forbidden - not your packet', 403 return stats.packet_stats(packet_id) @app.route('/api/v1/stats/upperclassman/<uid>') @packet_auth -def upperclassman_stats(uid): +@before_request +def upperclassman_stats(uid, info=None): + if not info['is_upper']: + return 'Forbidden', 403 + return stats.upperclassman_stats(uid) |