Fix missing permissions check on Partners API

hotosm · Jun 13, 2024 · c9c09ed · c9c09ed
1 parent 7f2396b
commit c9c09ed
Showing 1 changed file with 40 additions and 1 deletion.
diff --git a/backend/api/partners/resources.py b/backend/api/partners/resources.py
@@ -2,7 +2,7 @@
 
 from backend.services.partner_service import PartnerService, PartnerServiceError
 from backend.services.users.authentication_service import token_auth
-
+from backend.models.postgis.user import User
 
 class PartnerRestAPI(Resource):
     @token_auth.login_required
@@ -37,6 +37,14 @@ def get(self, partner_id):
             500:
                 description: Internal Server Error
         """
+
+        request_user = User.get_by_id(token_auth.current_user())
+        if request_user.role != 1:
+            return {
+                "Error": "Only admin users can manage partners.",
+                "SubCode": "OnlyAdminAccess",
+            }, 403
+
         partner = PartnerService.get_partner_by_id(partner_id)
         if partner:
             partner_dict = partner.as_dto().to_primitive()
@@ -88,6 +96,13 @@ def delete(self, partner_id):
             500:
                 description: Internal Server Error
         """
+        request_user = User.get_by_id(token_auth.current_user())
+        if request_user.role != 1:
+            return {
+                "Error": "Only admin users can manage partners.",
+                "SubCode": "OnlyAdminAccess",
+            }, 403
+
         try:
             PartnerService.delete_partner(partner_id)
             return {"Success": "Partner deleted"}, 200
@@ -151,6 +166,14 @@ def put(self, partner_id):
             500:
                 description: Internal Server Error
         """
+
+        request_user = User.get_by_id(token_auth.current_user())
+        if request_user.role != 1:
+            return {
+                "Error": "Only admin users can manage partners.",
+                "SubCode": "OnlyAdminAccess",
+            }, 403
+
         try:
             data = request.json
             updated_partner = PartnerService.update_partner(partner_id, data)
@@ -176,6 +199,14 @@ def get(self):
             500:
                 description: Internal Server Error
         """
+
+        request_user = User.get_by_id(token_auth.current_user())
+        if request_user.role != 1:
+            return {
+                "Error": "Only admin users can manage partners.",
+                "SubCode": "OnlyAdminAccess",
+            }, 403
+
         partner_ids = PartnerService.get_all_partners()
         partners = []
         for partner_id in partner_ids:
@@ -240,6 +271,14 @@ def post(self):
             500:
                 description: Internal Server Error
         """
+
+        request_user = User.get_by_id(token_auth.current_user())
+        if request_user.role != 1:
+            return {
+                "Error": "Only admin users can manage partners.",
+                "SubCode": "OnlyAdminAccess",
+            }, 403
+
         try:
             data = request.json
             if data: