From e2466a6e4cda8ade7d755beae2d74e13454e91fa Mon Sep 17 00:00:00 2001
From: lonkaars <l.leblansch@gmail.com>
Date: Tue, 23 Mar 2021 19:44:43 +0100
Subject: auth_required decorator
---
api/game/random.py | 2 --
api/hierarchy.py | 26 ++++++++++++++++++++++++++
api/test.py | 12 ++++++++++++
api/user/preferences.py | 24 +++++-------------------
api/user/status.py | 10 ++--------
5 files changed, 45 insertions(+), 29 deletions(-)
create mode 100644 api/hierarchy.py
create mode 100644 api/test.py
(limited to 'api')
diff --git a/api/game/random.py b/api/game/random.py
index ffba520..096d5be 100644
--- a/api/game/random.py
+++ b/api/game/random.py
@@ -13,8 +13,6 @@ random_game = Blueprint('random', __name__)
@random_game.route('/random')
def index():
- data = request.get_json()
-
token = request.cookies.get("token") or ""
if not token:
print("a temporary user should be set up here")
diff --git a/api/hierarchy.py b/api/hierarchy.py
new file mode 100644
index 0000000..6c1f0af
--- /dev/null
+++ b/api/hierarchy.py
@@ -0,0 +1,26 @@
+from flask import request
+from auth.login_token import token_login
+from db import cursor
+
+ranks = ["none", "user", "moderator", "admin", "bot"]
+
+def auth_required(level):
+ def decorator(func):
+ def wrapper():
+ token = request.cookies.get("token") or ""
+ if not token: return "", 403
+
+ user_id = token_login(token)
+ if not user_id: return "", 403
+
+ user_rank_text = cursor.execute("select type from users where user_id = ?", [user_id]).fetchone()[0]
+
+ required_rank = ranks.index(level)
+ user_rank = ranks.index(user_rank_text)
+ if required_rank > user_rank: return "", 403
+
+ return func(user_id)
+ wrapper.__name__ = func.__name__
+ return wrapper
+ return decorator
+
diff --git a/api/test.py b/api/test.py
new file mode 100644
index 0000000..ba62f00
--- /dev/null
+++ b/api/test.py
@@ -0,0 +1,12 @@
+from flask import Blueprint
+from hierarchy import auth_required
+
+test = Blueprint('test_endpoint', __name__)
+
+@test.route('/test')
+@auth_required("user")
+def index():
+ return "Hello World!"
+
+dynamic_route = ["/", test]
+
diff --git a/api/user/preferences.py b/api/user/preferences.py
index 057bf41..9791bfe 100644
--- a/api/user/preferences.py
+++ b/api/user/preferences.py
@@ -1,7 +1,7 @@
from flask import Blueprint, request
from db import cursor, connection
-from auth.login_token import token_login
from ruleset import resolve_ruleset
+from hierarchy import auth_required
import json
def format_preferences(prefs):
@@ -18,30 +18,16 @@ def format_preferences(prefs):
preferences = Blueprint('preferences', __name__)
@preferences.route('/preferences', methods = ["GET"])
-def get_preferences():
- data = request.get_json()
-
- token = request.cookies.get("token") or ""
-
- if not token: return "", 401
- login = token_login(token) or ""
-
- if not login: return "", 403
-
+@auth_required("user")
+def get_preferences(login):
user_prefs = cursor.execute("select preferences from users where user_id = ?", [login]).fetchone()
return { "preferences": format_preferences(json.loads(user_prefs[0])) }, 200
@preferences.route('/preferences', methods = ["POST"])
-def index():
+@auth_required("user")
+def index(login):
data = request.get_json()
-
new_preferences = data.get("newPreferences") or ""
- token = request.cookies.get("token") or ""
-
- if not token: return "", 401
- login = token_login(token) or ""
-
- if not login: return "", 403
formatted_json = format_preferences(new_preferences)
diff --git a/api/user/status.py b/api/user/status.py
index e2895d5..030a4ef 100644
--- a/api/user/status.py
+++ b/api/user/status.py
@@ -1,21 +1,15 @@
from flask import Blueprint, request
from db import cursor, connection
-from auth.login_token import token_login
+from hierarchy import auth_required
import json
status = Blueprint('user_status', __name__)
@status.route('/status', methods = ['POST'])
+@auth_required("user")
def index():
data = request.get_json()
-
status = data.get("status") or ""
- token = request.cookies.get("token") or ""
-
- if not token: return "", 401
- login = token_login(token) or ""
-
- if not login: return "", 403
if not status: return "", 400
cursor.execute("update users set status = ? where user_id = ?", [status[0:200], login])
--
cgit v1.2.3