Merge pull request #135 from python-discord/roles

Overhaul Access System

1 files changed, 8 insertions, 3 deletions

diff --git a/backend/routes/forms/response.py b/backend/routes/forms/response.py
index d8d8d17..565701f 100644
--- a/backend/routes/forms/response.py
+++ b/backend/routes/forms/response.py
@@ -1,11 +1,13 @@
 """
 Returns or deletes form response by ID.
 """
+
 from spectree import Response as RouteResponse
 from starlette.authentication import requires
 from starlette.requests import Request
 from starlette.responses import JSONResponse
 
+from backend import discord
 from backend.models import FormResponse
 from backend.route import Route
 from backend.validation import ErrorMessage, OkayResponse, api
@@ -17,23 +19,26 @@ class Response(Route):
     name = "response"
     path = "/{form_id:str}/responses/{response_id:str}"
 
-    @requires(["authenticated", "admin"])
+    @requires(["authenticated"])
     @api.validate(
         resp=RouteResponse(HTTP_200=FormResponse, HTTP_404=ErrorMessage),
         tags=["forms", "responses"]
     )
     async def get(self, request: Request) -> JSONResponse:
         """Return a single form response by ID."""
+        form_id = request.path_params["form_id"]
+        await discord.verify_response_access(form_id, request)
+
         if raw_response := await request.state.db.responses.find_one(
             {
                 "_id": request.path_params["response_id"],
-                "form_id": request.path_params["form_id"]
+                "form_id": form_id
             }
         ):
             response = FormResponse(**raw_response)
             return JSONResponse(response.dict())
         else:
-            return JSONResponse({"error": "not_found"}, status_code=404)
+            return JSONResponse({"error": "response_not_found"}, status_code=404)
 
     @requires(["authenticated", "admin"])
     @api.validate(