new hierarchy decorators

4 files changed, 52 insertions, 33 deletions

diff --git a/api/hierarchy.py b/api/hierarchy.py
index f75613c..20dcc45 100644
--- a/api/hierarchy.py
+++ b/api/hierarchy.py
@@ -1,29 +1,65 @@
 from flask import request
 from auth.login_token import token_login
+from user.info import valid_user_id
 from db import cursor
 
 ranks = ["none", "user", "moderator", "admin", "bot"]
 
 
+# This decorator doesn't check for hierarchy constraints, but does
+# make sure that token_id or explicit_id are valid user_id's
+def util_two_person(func):
+	def wrapper():
+		token_id = None
+		explicit_id = None
+
+		token = request.cookies.get("token") or ""
+		if token: token_id = token_login(token)
+
+		data = request.get_json()
+		if data: explicit_id = data.get("id")
+
+		if explicit_id and not valid_user_id(explicit_id): explicit_id = None
+
+		return func(token_id, explicit_id)
+
+	wrapper.__name__ = func.__name__
+	return wrapper
+
+
+# no authentication, just runs endpoint() if both token_id and
+# explicit_id are present from @util_two_person.
+def two_person(func):
+	@util_two_person
+	def wrapper(token_id, explicit_id):
+		if not token_id or \
+           not explicit_id:
+			return "", 400
+
+		return func(token_id, explicit_id)
+
+	wrapper.__name__ = func.__name__
+	return wrapper
+
+
 # @auth_required function decorator (use after @flask.Blueprint.route() decorator)
+# This decorator only runs endpoint() if token_id from
+# @util_two_person is not None and passes hierarchy constraints
 def auth_required(level):
 	def decorator(func):
-		def wrapper():
-			token = request.cookies.get("token") or ""
-			if not token: return "", 403
-
-			user_id = token_login(token)
-			if not user_id: return "", 403
+		@util_two_person
+		def wrapper(token_id, explicit_id):
+			if not token_id: return "", 400
 
 			user_rank_text = cursor.execute(
-				"select type from users where user_id = ?", [user_id]
+				"select type from users where user_id = ?", [token_id]
 			).fetchone()[0]
 
 			required_rank = ranks.index(level)
 			user_rank = ranks.index(user_rank_text)
 			if required_rank > user_rank: return "", 403
 
-			return func(user_id)
+			return func(token_id)
 
 		wrapper.__name__ = func.__name__
 		return wrapper
diff --git a/api/social/create_relation.py b/api/social/create_relation.py
index af81b69..5367ac5 100644
--- a/api/social/create_relation.py
+++ b/api/social/create_relation.py
@@ -1,28 +1,10 @@
 from flask import Blueprint, request
 from db import cursor, connection
-from hierarchy import auth_required
+from hierarchy import auth_required, two_person
 from socket_io import io
 import time
 
 
-# @two_person_endpoint decorator
-# defines (user_1_id, user_2_id) in endpoint handler function arguments
-def two_person_endpoint(func):
-	@auth_required("user")
-	def wrapper(user_1_id):
-		data = request.get_json()
-		user_2_id = data.get("id") or ""
-
-		if not user_1_id or \
-                                                                 not user_2_id:
-			return "", 403
-
-		return func(user_1_id, user_2_id)
-
-	wrapper.__name__ = func.__name__
-	return wrapper
-
-
 def create_relation(user_1_id, user_2_id, relation_type):
 	remove_relation(user_1_id, user_2_id)
 	remove_relation(user_2_id, user_1_id)
@@ -44,7 +26,7 @@ def remove_relation(user_1_id, user_2_id):
 
 
 def create_relation_route(relation_type):
-	@two_person_endpoint
+	@two_person
 	def route(user_1_id, user_2_id):
 		create_relation(user_1_id, user_2_id, relation_type)
 
diff --git a/api/social/destroy_relation.py b/api/social/destroy_relation.py
index ab72c48..2aa793b 100644
--- a/api/social/destroy_relation.py
+++ b/api/social/destroy_relation.py
@@ -1,15 +1,16 @@
 from flask import Blueprint, request
 from db import cursor
-from social.create_relation import remove_relation, two_person_endpoint
+from social.create_relation import remove_relation
 from user.info import get_relation_to
 from socket_io import io
+from hierarchy import two_person
 import time
 
 remove = Blueprint('remove', __name__)
 
 
 @remove.route('/remove', methods=['POST'])
-@two_person_endpoint
+@two_person
 def index(user_1_id, user_2_id):
 	relation = get_relation_to(user_1_id, user_2_id)
 	if relation == "none": return "", 403
@@ -27,7 +28,7 @@ unblock = Blueprint('unblock', __name__)
 
 
 @unblock.route('/unblock', methods=['POST'])
-@two_person_endpoint
+@two_person
 def index(user_1_id, user_2_id):
 	if get_relation_to(user_1_id, user_2_id) != "blocked": return "", 403
 
diff --git a/api/social/friend_accept.py b/api/social/friend_accept.py
index 4eb4837..b434272 100644
--- a/api/social/friend_accept.py
+++ b/api/social/friend_accept.py
@@ -1,14 +1,14 @@
 from flask import Blueprint, request
 from db import cursor, connection
-from social.create_relation import two_person_endpoint
 from socket_io import io
+from hierarchy import two_person
 import time
 
 accept = Blueprint('accept', __name__)
 
 
 @accept.route("/accept", methods=['POST'])
-@two_person_endpoint
+@two_person
 def route(user_1_id, user_2_id):
 	cursor.execute(
 		"update social set type = \"friendship\" where user_1_id = ? and user_2_id = ?",