johnnygear/gear-orders
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

@authorized_sub decorator

Browse source
This commit is contained in:
Johnny Gear 2026-01-30 11:14:41 -06:00
parent 183c2c4c3b
commit 8153b23b2a
1 changed files with 24 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
flask/api.py
View file

@ -1,3 +1,4 @@
from functools import wraps
from flask import Blueprint, jsonify, abort, request from flask import Blueprint, jsonify, abort, request
from flask_login import current_user from flask_login import current_user
from db.models import database, OrdersPool, Order, OrderAddOn from db.models import database, OrdersPool, Order, OrderAddOn
@ -15,18 +16,26 @@ def subs():
] ]
) )
def authorized_sub(func):
@wraps(func)
def wrapper(*args, **kwargs):
try:
sub = user_get(request.view_args['username'])
except:
abort(403)
return
if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]:
abort(403)
return
kwargs['sub'] = sub
return func(*args, **kwargs)
return wrapper
@api.route('/subs/<username>/sets') @api.route('/subs/<username>/sets')
def sub_order_sets(username): @authorized_sub
try: def sub_order_sets(username, sub):
sub = user_get(username)
except:
abort(403)
return
if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]:
abort(403)
return
return jsonify([ return jsonify([
{ {
'id': op.id, 'id': op.id,
@ -44,17 +53,8 @@ def sub_order_sets(username):
]) ])
@api.route('/subs/<username>/sets/', methods=['POST']) @api.route('/subs/<username>/sets/', methods=['POST'])
def sub_order_set_create(username): @authorized_sub
try: def sub_order_set_create(username, sub):
sub = user_get(username)
except:
abort(403)
return
if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]:
abort(403)
return
# Create new # Create new
with database.atomic() as transaction: with database.atomic() as transaction:
try: try:
@ -90,17 +90,8 @@ def sub_order_set_create(username):
return jsonify(new_order_pool.to_dict()) return jsonify(new_order_pool.to_dict())
@api.route('/subs/<username>/sets/<set_id>', methods = ['GET', 'POST']) @api.route('/subs/<username>/sets/<set_id>', methods = ['GET', 'POST'])
def sub_order_set(username, set_id): @authorized_sub
try: def sub_order_set(username, set_id, sub):
sub = user_get(username)
except:
abort(403)
return
if sub.telegram_username not in [dsu.sub.telegram_username for dsu in domsubusers_list(current_user.db_user)]:
abort(403)
return
op = orders_pool(sub.id, set_id) op = orders_pool(sub.id, set_id)
if request.method == 'POST': if request.method == 'POST':