Fixes #102: Защитить ручки Lecturer/Photo (#107)

* Lecturer Photo Security * Makefile * Comment deprication * Style
profcomff · Apr 24, 2024 · 8fffb14 · 8fffb14
1 parent 8976081
commit 8fffb14
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/calendar_backend/routes/lecturer/comment.py b/calendar_backend/routes/lecturer/comment.py
@@ -10,7 +10,7 @@
 
 
 settings = get_settings()
-router = APIRouter(prefix="/lecturer/{lecturer_id}", tags=["Lecturer: Comment"])
+router = APIRouter(prefix="/lecturer/{lecturer_id}", tags=["Lecturer: Comment"], deprecated=True)
 
 
 @router.post("/comment/", response_model=CommentLecturer)

diff --git a/calendar_backend/routes/lecturer/comment_review.py b/calendar_backend/routes/lecturer/comment_review.py
@@ -11,7 +11,7 @@
 from calendar_backend.routes.models import CommentLecturer
 
 
-router = APIRouter(prefix="/lecturer/{lecturer_id}/comment", tags=["Lecturer: Comment Review"])
+router = APIRouter(prefix="/lecturer/{lecturer_id}/comment", tags=["Lecturer: Comment Review"], deprecated=True)
 
 
 @router.get("/review/", response_model=list[CommentLecturer])

diff --git a/calendar_backend/routes/lecturer/photo.py b/calendar_backend/routes/lecturer/photo.py
@@ -1,4 +1,5 @@
-from fastapi import APIRouter, File, UploadFile
+from auth_lib.fastapi import UnionAuth
+from fastapi import APIRouter, Depends, File, UploadFile
 from fastapi_sqlalchemy import db
 
 from calendar_backend.exceptions import ObjectNotFound
@@ -14,7 +15,11 @@
 
 
 @router.post("/photo", response_model=Photo)
-async def upload_photo(lecturer_id: int, photo: UploadFile = File(...)) -> Photo:
+async def upload_photo(
+    lecturer_id: int,
+    photo: UploadFile = File(...),
+    _=Depends(UnionAuth(scopes=["timetable.lecturer.photo.create"])),
+) -> Photo:
     """Загрузить фотографию преподавателя из локального файла
 
     Пример загрузки файла на питоне
@@ -50,7 +55,11 @@ async def get_lecturer_photos(lecturer_id: int, limit: int = 10, offset: int = 0
 
 
 @router.delete("/photo/{id}", response_model=None)
-async def delete_photo(id: int, lecturer_id: int) -> None:
+async def delete_photo(
+    id: int,
+    lecturer_id: int,
+    _=Depends(UnionAuth(scopes=["timetable.lecturer.photo.delete"])),
+) -> None:
     photo = DbPhoto.get(id, only_approved=False, session=db.session)
     if photo.lecturer_id != lecturer_id:
         raise ObjectNotFound(DbPhoto, id)