From 513de6945d40b66368a061dff6a81646e8bda7a0 Mon Sep 17 00:00:00 2001
From: Hassan Abouelela <hassan@hassanamr.com>
Date: Sat, 5 Feb 2022 17:39:33 +0400
Subject: Add Role Based Authorized Readers

Adds a new property on forms to declare which roles are authorized to
access form responses.

Signed-off-by: Hassan Abouelela <hassan@hassanamr.com>
---
 backend/routes/forms/response.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'backend/routes/forms/response.py')

diff --git a/backend/routes/forms/response.py b/backend/routes/forms/response.py
index d8d8d17..fbf8e99 100644
--- a/backend/routes/forms/response.py
+++ b/backend/routes/forms/response.py
@@ -1,11 +1,13 @@
 """
 Returns or deletes form response by ID.
 """
+
 from spectree import Response as RouteResponse
 from starlette.authentication import requires
 from starlette.requests import Request
 from starlette.responses import JSONResponse
 
+from backend import discord
 from backend.models import FormResponse
 from backend.route import Route
 from backend.validation import ErrorMessage, OkayResponse, api
@@ -17,23 +19,31 @@ class Response(Route):
     name = "response"
     path = "/{form_id:str}/responses/{response_id:str}"
 
-    @requires(["authenticated", "admin"])
+    @requires(["authenticated"])
     @api.validate(
-        resp=RouteResponse(HTTP_200=FormResponse, HTTP_404=ErrorMessage),
+        resp=RouteResponse(HTTP_200=FormResponse, HTTP_401=ErrorMessage, HTTP_404=ErrorMessage),
         tags=["forms", "responses"]
     )
     async def get(self, request: Request) -> JSONResponse:
         """Return a single form response by ID."""
+        form_id = request.path_params["form_id"]
+
+        try:
+            if not await discord.verify_response_access(form_id, request):
+                return JSONResponse({"error": "unauthorized"}, status_code=401)
+        except discord.FormNotFoundError:
+            return JSONResponse({"error": "form_not_found"}, status_code=404)
+
         if raw_response := await request.state.db.responses.find_one(
             {
                 "_id": request.path_params["response_id"],
-                "form_id": request.path_params["form_id"]
+                "form_id": form_id
             }
         ):
             response = FormResponse(**raw_response)
             return JSONResponse(response.dict())
         else:
-            return JSONResponse({"error": "not_found"}, status_code=404)
+            return JSONResponse({"error": "response_not_found"}, status_code=404)
 
     @requires(["authenticated", "admin"])
     @api.validate(
-- 
cgit v1.2.3