diff options
| author |  Hassan Abouelela <[email protected]> | 2022-02-05 17:39:33 +0400 |
|---|---|---|
| committer | Hassan Abouelela <[email protected]> | 2022-02-05 18:27:11 +0400 |
| commit | 513de6945d40b66368a061dff6a81646e8bda7a0 (patch) | |
| tree | 64f3ad8670cc9c1fffb6c8c2c0a5e9a8da04582f /backend/routes/forms/responses.py | |
| parent | Overhaul Scope System (diff) | |
Add Role Based Authorized Readers
Adds a new property on forms to declare which roles are authorized to
access form responses.
Signed-off-by: Hassan Abouelela <[email protected]>
Diffstat (limited to 'backend/routes/forms/responses.py')
| -rw-r--r-- | backend/routes/forms/responses.py | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/backend/routes/forms/responses.py b/backend/routes/forms/responses.py index f3c4cd7..1c8ebe3 100644 --- a/backend/routes/forms/responses.py +++ b/backend/routes/forms/responses.py @@ -7,9 +7,10 @@ from starlette.authentication import requires from starlette.requests import Request from starlette.responses import JSONResponse +from backend import discord from backend.models import FormResponse, ResponseList from backend.route import Route -from backend.validation import api, ErrorMessage, OkayResponse +from backend.validation import ErrorMessage, OkayResponse, api class ResponseIdList(BaseModel): @@ -24,20 +25,22 @@ class Responses(Route): name = "form_responses" path = "/{form_id:str}/responses" - @requires(["authenticated", "admin"]) + @requires(["authenticated"]) @api.validate( - resp=Response(HTTP_200=ResponseList, HTTP_404=ErrorMessage), + resp=Response(HTTP_200=ResponseList, HTTP_401=ErrorMessage, HTTP_404=ErrorMessage), tags=["forms", "responses"] ) async def get(self, request: Request) -> JSONResponse: """Returns all form responses by form ID.""" - if not await request.state.db.forms.find_one( - {"_id": request.path_params["form_id"]} - ): + form_id = request.path_params["form_id"] + try: + if not await discord.verify_response_access(form_id, request): + return JSONResponse({"error": "unauthorized"}, 401) + except discord.FormNotFoundError: return JSONResponse({"error": "not_found"}, 404) cursor = request.state.db.responses.find( - {"form_id": request.path_params["form_id"]} + {"form_id": form_id} ) responses = [ FormResponse(**response) for response in await cursor.to_list(None) |