Move permission check for /GET and /POST sensor data into endpoint de…

…finition (was: schema), just like others. Became possible with recent enhancements of permission_required_for_context capabilities Signed-off-by: Nicolas Höning <nicolas@seita.nl>
FlexMeasures · Sep 20, 2023 · 6423c75 · 6423c75
1 parent 65fdba4
commit 6423c75
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 13 deletions.
diff --git a/flexmeasures/api/common/schemas/sensor_data.py b/flexmeasures/api/common/schemas/sensor_data.py
@@ -28,7 +28,6 @@
     units_are_convertible,
     is_energy_price_unit,
 )
-from flexmeasures.auth.policy import check_access
 
 
 class SingleValueField(fields.Float):
@@ -119,10 +118,6 @@ class GetSensorDataSchema(SensorDataDescriptionSchema):
         ),
     )
 
-    @validates_schema
-    def check_user_may_read(self, data, **kwargs):
-        check_access(data["sensor"], "read")
-
     @validates_schema
     def check_schema_unit_against_type(self, data, **kwargs):
         requested_unit = data["unit"]
@@ -141,8 +136,8 @@ def check_schema_unit_against_type(self, data, **kwargs):
                 f"The unit requested for this message type should be convertible from an energy price unit, got incompatible unit: {requested_unit}"
             )
 
-    @post_load
-    def dump_bdf(self, sensor_data_description: dict, **kwargs) -> dict:
+    @staticmethod
+    def load_data_and_make_response(sensor_data_description: dict) -> dict:
         """Turn the de-serialized and validated data description into a response.
 
         Specifically, this function:
@@ -249,10 +244,6 @@ class PostSensorDataSchema(SensorDataDescriptionSchema):
         many=False,
     )
 
-    @validates_schema
-    def check_user_may_create(self, data, **kwargs):
-        check_access(data["sensor"], "create-children")
-
     @validates_schema
     def check_schema_unit_against_type(self, data, **kwargs):
         posted_unit = data["unit"]

diff --git a/flexmeasures/api/v3_0/sensors.py b/flexmeasures/api/v3_0/sensors.py
@@ -115,6 +115,12 @@ def index(self, account: Account):
         post_sensor_schema,
         location="json",
     )
+    @permission_required_for_context(
+        "create-children",
+        ctx_arg_pos=1,
+        ctx_loader=lambda abdf: abdf.sensor,
+        pass_ctx_to_loader=True,
+    )
     def post_data(self, bdf: BeliefsDataFrame):
         """
         Post sensor data to FlexMeasures.
@@ -160,7 +166,8 @@ def post_data(self, bdf: BeliefsDataFrame):
         get_sensor_schema,
         location="query",
     )
-    def get_data(self, response: dict):
+    @permission_required_for_context("read", ctx_arg_pos=1, ctx_arg_name="sensor")
+    def get_data(self, sensor_data_description: dict):
         """Get sensor data from FlexMeasures.
 
         .. :quickref: Data; Download sensor data
@@ -195,6 +202,9 @@ def get_data(self, response: dict):
         :status 403: INVALID_SENDER
         :status 422: UNPROCESSABLE_ENTITY
         """
+        response = GetSensorDataSchema.load_data_and_make_response(
+            sensor_data_description
+        )
         d, s = request_processed()
         return dict(**response, **d), s
 

diff --git a/flexmeasures/auth/decorators.py b/flexmeasures/auth/decorators.py
@@ -7,6 +7,7 @@
 
 from typing import Callable
 from functools import wraps
+import inspect
 from flask import current_app
 from flask_json import as_json
 from flask_security import (
@@ -184,7 +185,9 @@ def decorated_view(*args, **kwargs):
             # if a loader is given, use that, otherwise fall back to context_from_args
             if ctx_loader is not None:
                 if pass_ctx_to_loader:
-                    if issubclass(ctx_loader, AuthModelMixin):
+                    if inspect.isclass(ctx_loader) and issubclass(
+                        ctx_loader, AuthModelMixin
+                    ):
                         context = ctx_loader.query.get(context_from_args)
                     else:
                         context = ctx_loader(context_from_args)