feat(sensor): only allow admins to patch

Signed-off-by: GustaafL <guus@seita.nl>
FlexMeasures · Aug 4, 2023 · 527c43e · 527c43e
1 parent b1a85e8
commit 527c43e
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 11 deletions.
diff --git a/flexmeasures/api/v3_0/sensors.py b/flexmeasures/api/v3_0/sensors.py
@@ -596,10 +596,10 @@ def post(self, sensor_data: dict):
 
     @route("/<id>", methods=["PATCH"])
     @use_args(partial_sensor_schema)
-    @use_kwargs({"db_sensor": SensorIdField(data_key="id")}, location="path")
-    @permission_required_for_context("update", ctx_arg_name="db_sensor")
+    @use_kwargs({"sensor": SensorIdField(data_key="id")}, location="path")
+    @permission_required_for_context("update", ctx_arg_name="sensor")
     @as_json
-    def patch(self, sensor_data: dict, id: int, db_sensor: Sensor):
+    def patch(self, sensor_data: dict, id: int, sensor: Sensor):
         """Update a sensor given its identifier.
 
         .. :quickref: Sensor; Update a sensor
@@ -646,10 +646,10 @@ def patch(self, sensor_data: dict, id: int, db_sensor: Sensor):
         :status 422: UNPROCESSABLE_ENTITY
         """
         for k, v in sensor_data.items():
-            setattr(db_sensor, k, v)
-        db.session.add(db_sensor)
+            setattr(sensor, k, v)
+        db.session.add(sensor)
         db.session.commit()
-        return sensor_schema.dump(db_sensor), 200
+        return sensor_schema.dump(sensor), 200
 
     @route("/<id>", methods=["DELETE"])
     @use_kwargs({"sensor": SensorIdField(data_key="id")}, location="path")

diff --git a/flexmeasures/api/v3_0/tests/test_sensors_api.py b/flexmeasures/api/v3_0/tests/test_sensors_api.py
@@ -155,10 +155,9 @@ def test_patch_sensor_for_excluded_attribute(
     assert response.json["message"]["json"][attribute] == ["Unknown field."]
 
 
-def test_patch_sensor_from_unrelated_account(client, setup_api_test_data):
-    """Try to change the name of a sensor that is in an account the user does not
-    have access to"""
-    headers = make_headers_for("test_prosumer_user_2@seita.nl", client)
+def test_patch_sensor_non_admin(client, setup_api_test_data):
+    """Try to change the name of a sensor with a non admin account"""
+    headers = make_headers_for("test_supplier_user_4@seita.nl", client)
 
     sensor = Sensor.query.filter(Sensor.name == "some temperature sensor").one_or_none()
 

diff --git a/flexmeasures/data/models/time_series.py b/flexmeasures/data/models/time_series.py
@@ -102,7 +102,10 @@ def __acl__(self):
             "read": f"account:{self.generic_asset.account_id}"
             if self.generic_asset.account_id is not None
             else EVERY_LOGGED_IN_USER,
-            "update": f"account:{self.generic_asset.account_id}",
+            "update": (
+                f"account:{self.generic_asset.account_id}",
+                "role:account-admin",
+            ),
             "delete": (
                 f"account:{self.generic_asset.account_id}",
                 "role:account-admin",