diff --git a/app/controllers/require_permission.py b/app/controllers/require_permission.py index 9990fbe..813927b 100644 --- a/app/controllers/require_permission.py +++ b/app/controllers/require_permission.py @@ -9,19 +9,29 @@ from app.logger import log def check_permissions( entity_type: m.Permission.Entity, access: list[m.Permission.Access], - model: m, - entity_id_field: str, + entities_data: list[dict] | dict, ): request_args = ( {**request.view_args, **request.args} if request.view_args else {**request.args} ) + if type(entities_data) == dict: + entities_data = [entities_data] + entity = None + for entity_data in entities_data: + model = entity_data.get("model") + entity_id_field = entity_data.get("entity_id_field") + if not model or entity_id_field is None: + raise ValueError( + "One of required arguments(model, entity_id_field) is missions" + ) + + entity_id = request_args.get(entity_id_field) + if entity_id is None: + raise ValueError("entity_id not found") + entity: m.Book | m.Collection | m.Section | m.Interpretation = db.session.get( + model, entity_id + ) - entity_id = request_args.get(entity_id_field) - if entity_id is None: - raise ValueError("entity_id not found") - entity: m.Book | m.Collection | m.Section | m.Interpretation = db.session.get( - model, entity_id - ) if not entity or not entity.access_groups: flash("You do not have permission", "warning") return make_response(redirect(url_for("home.get_all"))) @@ -62,8 +72,7 @@ def check_permissions( def require_permission( entity_type: m.Permission.Entity, access: list[m.Permission.Access], - model: m, - entity_id_field: str, + entities_data: list[dict] | dict, ): def decorator(f): @functools.wraps(f) @@ -71,8 +80,7 @@ def require_permission( if response := check_permissions( entity_type=entity_type, access=access, - model=model, - entity_id_field=entity_id_field, + entities_data=entities_data, ): return response return f(*args, **kwargs) diff --git a/app/views/book/book.py b/app/views/book/book.py index 7fe5fa9..4eb27d1 100644 --- a/app/views/book/book.py +++ b/app/views/book/book.py @@ -116,8 +116,10 @@ def create(): @require_permission( entity_type=m.Permission.Entity.BOOK, access=[m.Permission.Access.U], - model=m.Book, - entity_id_field="book_id", + entity_data={ + "model": m.Book, + "entity_id_field": "book_id", + }, ) @login_required def edit(book_id: int): @@ -145,6 +147,16 @@ def edit(book_id: int): @bp.route("//delete", methods=["POST"]) +@require_permission( + entity_type=m.Permission.Entity.BOOK, + access=[m.Permission.Access.D], + entities_data=[ + { + "model": m.Book, + "entity_id_field": "book_id", + } + ], +) @login_required def delete(book_id: int): book: m.Book = db.session.get(m.Book, book_id) diff --git a/app/views/book/collection.py b/app/views/book/collection.py index 0a56e22..4063996 100644 --- a/app/views/book/collection.py +++ b/app/views/book/collection.py @@ -14,6 +14,7 @@ from app.controllers.delete_nested_book_entities import ( delete_nested_collection_entities, ) from app import models as m, db, forms as f +from app.controllers.require_permission import require_permission from app.logger import log from .bp import bp @@ -61,6 +62,12 @@ def sub_collection_view(book_id: int, collection_id: int): @bp.route("//create_collection", methods=["POST"]) @bp.route("///create_sub_collection", methods=["POST"]) @register_book_verify_route(bp.name) +@require_permission( + entity_type=m.Permission.Entity.COLLECTION, + access=[m.Permission.Access.C], + model=m.Collection, + entity_id_field="collection_id", +) @login_required def collection_create(book_id: int, collection_id: int | None = None): book: m.Book = db.session.get(m.Book, book_id)