@authorized_sub decorator

flask/api.py

@@ -1,3 +1,4 @@
+from functools import wraps
 from flask import Blueprint, jsonify, abort, request
 from flask_login import current_user
 from db.models import database, OrdersPool, Order, OrderAddOn
@@ -15,10 +16,11 @@ def subs():
     ]
   )
 
-@api.route('/subs/<username>/sets')
+def authorized_sub(func):
-def sub_order_sets(username):
+  @wraps(func)
+  def wrapper(*args, **kwargs):
     try:
-    sub = user_get(username)
+      sub = user_get(request.view_args['username'])
     except:
       abort(403)
       return
@@ -27,6 +29,13 @@ def sub_order_sets(username):
       abort(403)
       return
     
+    kwargs['sub'] = sub
+    return func(*args, **kwargs)
+  return wrapper
+
+@api.route('/subs/<username>/sets')
+@authorized_sub
+def sub_order_sets(username, sub):
   return jsonify([
     {
       'id': op.id,
@@ -44,17 +53,8 @@ def sub_order_sets(username):
   ])
 
 @api.route('/subs/<username>/sets/', methods=['POST'])
-def sub_order_set_create(username):
+@authorized_sub
-  try:
+def sub_order_set_create(username, sub):
-    sub = user_get(username)
-  except:
-    abort(403)
-    return
-  
-  if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]:
-    abort(403)
-    return
-
   # Create new
   with database.atomic() as transaction:
     try:
@@ -90,17 +90,8 @@ def sub_order_set_create(username):
   return jsonify(new_order_pool.to_dict())
 
 @api.route('/subs/<username>/sets/<set_id>', methods = ['GET', 'POST'])
-def sub_order_set(username, set_id):
+@authorized_sub
-  try:
+def sub_order_set(username, set_id, sub):
-    sub = user_get(username)
-  except:
-    abort(403)
-    return
-  
-  if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]:
-    abort(403)
-    return
-
   op = orders_pool(sub.id, set_id)
 
   if request.method == 'POST':