diff options
| author |  Hassan Abouelela <[email protected]> | 2022-02-05 17:39:33 +0400 |
|---|---|---|
| committer | Hassan Abouelela <[email protected]> | 2022-02-05 18:27:11 +0400 |
| commit | 513de6945d40b66368a061dff6a81646e8bda7a0 (patch) | |
| tree | 64f3ad8670cc9c1fffb6c8c2c0a5e9a8da04582f /backend/routes/forms/response.py | |
| parent | Overhaul Scope System (diff) | |
Add Role Based Authorized Readers
Adds a new property on forms to declare which roles are authorized to
access form responses.
Signed-off-by: Hassan Abouelela <[email protected]>
Diffstat (limited to 'backend/routes/forms/response.py')
| -rw-r--r-- | backend/routes/forms/response.py | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/backend/routes/forms/response.py b/backend/routes/forms/response.py index d8d8d17..fbf8e99 100644 --- a/backend/routes/forms/response.py +++ b/backend/routes/forms/response.py @@ -1,11 +1,13 @@ """ Returns or deletes form response by ID. """ + from spectree import Response as RouteResponse from starlette.authentication import requires from starlette.requests import Request from starlette.responses import JSONResponse +from backend import discord from backend.models import FormResponse from backend.route import Route from backend.validation import ErrorMessage, OkayResponse, api @@ -17,23 +19,31 @@ class Response(Route): name = "response" path = "/{form_id:str}/responses/{response_id:str}" - @requires(["authenticated", "admin"]) + @requires(["authenticated"]) @api.validate( - resp=RouteResponse(HTTP_200=FormResponse, HTTP_404=ErrorMessage), + resp=RouteResponse(HTTP_200=FormResponse, HTTP_401=ErrorMessage, HTTP_404=ErrorMessage), tags=["forms", "responses"] ) async def get(self, request: Request) -> JSONResponse: """Return a single form response by ID.""" + form_id = request.path_params["form_id"] + + try: + if not await discord.verify_response_access(form_id, request): + return JSONResponse({"error": "unauthorized"}, status_code=401) + except discord.FormNotFoundError: + return JSONResponse({"error": "form_not_found"}, status_code=404) + if raw_response := await request.state.db.responses.find_one( { "_id": request.path_params["response_id"], - "form_id": request.path_params["form_id"] + "form_id": form_id } ): response = FormResponse(**raw_response) return JSONResponse(response.dict()) else: - return JSONResponse({"error": "not_found"}, status_code=404) + return JSONResponse({"error": "response_not_found"}, status_code=404) @requires(["authenticated", "admin"]) @api.validate( |