From 1b32b324e78da742281c1b796249af2f5b12dfd8 Mon Sep 17 00:00:00 2001 From: Artem Morozov Date: Fri, 28 Jul 2023 21:23:21 +0300 Subject: [PATCH 1/3] Userdata fixes. --- userdata_api/settings.py | 2 +- userdata_api/utils/user.py | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/userdata_api/settings.py b/userdata_api/settings.py index dfaa13e..84e3a05 100644 --- a/userdata_api/settings.py +++ b/userdata_api/settings.py @@ -8,7 +8,7 @@ class Settings(BaseSettings): """Application settings""" - DB_DSN: PostgresDsn + DB_DSN: PostgresDsn = 'postgresql://postgres@localhost:5432/postgres' ROOT_PATH: str = '/' + os.getenv("APP_NAME", "") CORS_ALLOW_ORIGINS: list[str] = ['*'] diff --git a/userdata_api/utils/user.py b/userdata_api/utils/user.py index 6afb8d5..a29370e 100644 --- a/userdata_api/utils/user.py +++ b/userdata_api/utils/user.py @@ -34,7 +34,7 @@ async def patch_user_info( raise Forbidden(f"Admin source requires 'userdata.info.admin' scope") if new.source != "admin" and new.source != "user": raise Forbidden("HTTP protocol applying only 'admin' and 'user' source") - if new.source == "user" and user["user_id"] != user_id: + if new.source == "user" and user["id"] != user_id: raise Forbidden(f"'user' source requires information own") for item in new.items: param = ( @@ -50,7 +50,11 @@ async def patch_user_info( ) if not param: raise ObjectNotFound(Param, item.param) - if param.category.update_scope not in scope_names and not (new.source == "user" and user["user_id"] == user_id): + if ( + param.category.update_scope not in scope_names + and param.category.update_scope is not None + and not (new.source == "user" and user["id"] == user_id) + ): db.session.rollback() raise Forbidden(f"Updating category {param.category.name=} requires {param.category.update_scope=} scope") info = ( @@ -105,7 +109,7 @@ async def get_user_info(user_id: int, user: dict[str, int | list[dict[str, str | param_dict: dict[Param, list[Info] | Info | None] = {} for info in infos: ## Проверка доступов - нужен либо скоуп на категориию либо нужно быть овнером информации - if info.category.read_scope and info.category.read_scope not in scope_names and user["user_id"] != user_id: + if info.category.read_scope and info.category.read_scope not in scope_names and user["id"] != user_id: continue if info.param not in param_dict.keys(): param_dict[info.param] = [] if info.param.pytype == list[str] else None From f16f7dbdc2ff85e8b6af052aa70c01fd6ab053b6 Mon Sep 17 00:00:00 2001 From: Morozov Artem <126605382+Temmmmmo@users.noreply.github.com> Date: Sat, 29 Jul 2023 00:20:28 +0300 Subject: [PATCH 2/3] Fixes after review --- userdata_api/utils/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/userdata_api/utils/user.py b/userdata_api/utils/user.py index a29370e..b3328c7 100644 --- a/userdata_api/utils/user.py +++ b/userdata_api/utils/user.py @@ -51,8 +51,8 @@ async def patch_user_info( if not param: raise ObjectNotFound(Param, item.param) if ( + param.category.update_scope is not None and param.category.update_scope not in scope_names - and param.category.update_scope is not None and not (new.source == "user" and user["id"] == user_id) ): db.session.rollback() From 99f25145e8d4f7e56f1680af5f85b26347f4acb2 Mon Sep 17 00:00:00 2001 From: Morozov Artem <126605382+Temmmmmo@users.noreply.github.com> Date: Sat, 29 Jul 2023 00:31:35 +0300 Subject: [PATCH 3/3] Update user.py Linting fixes --- userdata_api/utils/user.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/userdata_api/utils/user.py b/userdata_api/utils/user.py index b3328c7..8505ac2 100644 --- a/userdata_api/utils/user.py +++ b/userdata_api/utils/user.py @@ -51,8 +51,8 @@ async def patch_user_info( if not param: raise ObjectNotFound(Param, item.param) if ( - param.category.update_scope is not None and - param.category.update_scope not in scope_names + param.category.update_scope is not None + and param.category.update_scope not in scope_names and not (new.source == "user" and user["id"] == user_id) ): db.session.rollback()