Skip to content

protect api routes from freshmen #295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 3, 2021
Merged

protect api routes from freshmen #295

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 25 additions & 5 deletions packet/routes/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,10 +96,14 @@ def sync_ldap():

@app.route('/api/v1/packets/<username>', methods=['GET'])
@packet_auth
def get_packets_by_user(username: str) -> dict:
@before_request
def get_packets_by_user(username: str, info=None) -> dict:
"""
Return a dictionary of packets for a freshman by username, giving packet start and end date by packet id
"""

if info['ritdn'] != username:
return 'Forbidden - not your packet', 403
frosh = Freshman.by_username(username)

return {packet.id: {
Expand All @@ -110,10 +114,15 @@ def get_packets_by_user(username: str) -> dict:

@app.route('/api/v1/packets/<username>/newest', methods=['GET'])
@packet_auth
def get_newest_packet_by_user(username: str) -> dict:
@before_request
def get_newest_packet_by_user(username: str, info=None) -> dict:
"""
Return a user's newest packet
"""

if not info['is_upper'] and info['ritdn'] != username:
return 'Forbidden - not your packet', 403

frosh = Freshman.by_username(username)

packet = frosh.packets[-1]
Expand All @@ -130,13 +139,17 @@ def get_newest_packet_by_user(username: str) -> dict:

@app.route('/api/v1/packet/<packet_id>', methods=['GET'])
@packet_auth
def get_packet_by_id(packet_id: int) -> dict:
@before_request
def get_packet_by_id(packet_id: int, info=None) -> dict:
"""
Return the scores of the packet in question
"""

packet = Packet.by_id(packet_id)

if not info['is_upper'] and info['ritdn'] != packet.freshman.rit_username:
return 'Forbidden - not your packet', 403

return {
'required': vars(packet.signatures_required()),
'received': vars(packet.signatures_received()),
Expand Down Expand Up @@ -198,13 +211,20 @@ def report(info):

@app.route('/api/v1/stats/packet/<packet_id>')
@packet_auth
def packet_stats(packet_id):
@before_request
def packet_stats(packet_id, info=None):
if not info['is_upper'] and info['ritdn'] != Packet.by_id(packet_id).freshman.rit_username:
return 'Forbidden - not your packet', 403
return stats.packet_stats(packet_id)


@app.route('/api/v1/stats/upperclassman/<uid>')
@packet_auth
def upperclassman_stats(uid):
@before_request
def upperclassman_stats(uid, info=None):
if not info['is_upper']:
return 'Forbidden', 403

return stats.upperclassman_stats(uid)


Expand Down