exclude internal description from being returned to unauthenticated users

Author: MoralCode

blueprints/v0.py

@@ -355,7 +355,10 @@ def list_bellschedules(school_id):
 
     schedules = BellScheduleDB.query.filter_by(school_id=school_id, soft_deleted=False)
 
-    return respond(BellScheduleSchema(exclude=('school_id',)).dump(schedules, many=True))
+    excluded_fields = exclude_unless_logged_in(['internal_description'])
+    excluded_fields.extend(('school_id',))
+
+    return respond(BellScheduleSchema(exclude=excluded_fields).dump(schedules, many=True))
 
 @blueprint.route("/bellschedule/<string:bell_schedule_id>", strict_slashes=False, methods=['GET'])
 @check_headers
@@ -397,7 +400,10 @@ def get_bellschedule(bell_schedule_id):
         if schedule.last_modified == since:
             return respond(code=304) #Not Modified
 
-    return respond(BellScheduleSchema(exclude=('soft_deleted',)).dump(schedule))
+    excluded_fields = exclude_unless_logged_in(['internal_description'])
+    excluded_fields.extend(('soft_deleted',))
+
+    return respond(BellScheduleSchema(exclude=excluded_fields).dump(schedule))
 
 
 @blueprint.route("/bellschedule", strict_slashes=False, methods=['POST'])

common/helpers.py

@@ -222,6 +222,13 @@ def get_api_user_id():
         return ""
 
 
+def exclude_unless_logged_in(fields: list):
+    is_admin = check_for_roles(["admin", "school admin"])
+    if is_admin:
+        return []
+    else:
+        return fields
+
 def get_token_auth_header():
     return get_valid_auth_header_of_type(AuthType.TOKEN)