From 2cac931e6c147d54bf518de1a7b5c853221cf6be Mon Sep 17 00:00:00 2001
From: Hassan Abouelela <hassan@hassanamr.com>
Date: Sat, 15 May 2021 15:13:56 +0300
Subject: Adds A Dev Only Endpoint For Adding Admins

Copies the admin adding endpoint into an unprotected endpoint that is
only registered in non-production builds.

Signed-off-by: Hassan Abouelela <hassan@hassanamr.com>
---
 backend/routes/admin.py | 43 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 35 insertions(+), 8 deletions(-)

(limited to 'backend')

diff --git a/backend/routes/admin.py b/backend/routes/admin.py
index 5254f8b..0fd0700 100644
--- a/backend/routes/admin.py
+++ b/backend/routes/admin.py
@@ -7,6 +7,7 @@ from starlette.authentication import requires
 from starlette.requests import Request
 from starlette.responses import JSONResponse
 
+from backend import constants
 from backend.route import Route
 from backend.validation import ErrorMessage, OkayResponse, api
 
@@ -15,6 +16,20 @@ class AdminModel(BaseModel):
     id: str = Field(alias="_id")
 
 
+async def grant(request: Request) -> JSONResponse:
+    """Grant a user administrator privileges."""
+    data = await request.json()
+    admin = AdminModel(**data)
+
+    if await request.state.db.admins.find_one(
+            {"_id": admin.id}
+    ):
+        return JSONResponse({"error": "already_exists"}, status_code=400)
+
+    await request.state.db.admins.insert_one(admin.dict(by_alias=True))
+    return JSONResponse({"status": "ok"})
+
+
 class AdminRoute(Route):
     """Adds new admin user."""
 
@@ -29,13 +44,25 @@ class AdminRoute(Route):
     )
     async def post(self, request: Request) -> JSONResponse:
         """Grant a user administrator privileges."""
-        data = await request.json()
-        admin = AdminModel(**data)
+        return await grant(request)
 
-        if await request.state.db.admins.find_one(
-            {"_id": admin.id}
-        ):
-            return JSONResponse({"error": "already_exists"}, status_code=400)
 
-        await request.state.db.admins.insert_one(admin.dict(by_alias=True))
-        return JSONResponse({"status": "ok"})
+if not constants.PRODUCTION:
+    class AdminDev(Route):
+        """Adds new admin user with no authentication."""
+
+        name = "admin dev"
+        path = "/admin_dev"
+
+        @api.validate(
+            json=AdminModel,
+            resp=Response(HTTP_200=OkayResponse, HTTP_400=ErrorMessage),
+            tags=["admin"]
+        )
+        async def post(self, request: Request) -> JSONResponse:
+            """
+            A development only endpoint to grant a user administrator privileges.
+
+            Does not require authentication
+            """
+            return await grant(request)
-- 
cgit v1.2.3