diff --git a/flask/api.py b/flask/api.py index bf01479..0c8b6e4 100644 --- a/flask/api.py +++ b/flask/api.py @@ -1,3 +1,4 @@ +from functools import wraps from flask import Blueprint, jsonify, abort, request from flask_login import current_user from db.models import database, OrdersPool, Order, OrderAddOn @@ -15,18 +16,26 @@ def subs(): ] ) -@api.route('/subs//sets') -def sub_order_sets(username): - try: - sub = user_get(username) - except: - abort(403) - return - - if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]: - abort(403) - return +def authorized_sub(func): + @wraps(func) + def wrapper(*args, **kwargs): + try: + sub = user_get(request.view_args['username']) + except: + abort(403) + return + + if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]: + abort(403) + return + + kwargs['sub'] = sub + return func(*args, **kwargs) + return wrapper +@api.route('/subs//sets') +@authorized_sub +def sub_order_sets(username, sub): return jsonify([ { 'id': op.id, @@ -44,17 +53,8 @@ def sub_order_sets(username): ]) @api.route('/subs//sets/', methods=['POST']) -def sub_order_set_create(username): - try: - sub = user_get(username) - except: - abort(403) - return - - if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]: - abort(403) - return - +@authorized_sub +def sub_order_set_create(username, sub): # Create new with database.atomic() as transaction: try: @@ -90,17 +90,8 @@ def sub_order_set_create(username): return jsonify(new_order_pool.to_dict()) @api.route('/subs//sets/', methods = ['GET', 'POST']) -def sub_order_set(username, set_id): - try: - sub = user_get(username) - except: - abort(403) - return - - if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]: - abort(403) - return - +@authorized_sub +def sub_order_set(username, set_id, sub): op = orders_pool(sub.id, set_id) if request.method == 'POST':