remove get_current_user_if_admin
This commit is contained in:
parent
9b5a98e0c0
commit
3b66565481
4 changed files with 34 additions and 38 deletions
|
@ -5,7 +5,6 @@ Common dependencies for routers.
|
||||||
|
|
||||||
from fastapi import Depends, HTTPException, status
|
from fastapi import Depends, HTTPException, status
|
||||||
from fastapi.security import OAuth2PasswordBearer
|
from fastapi.security import OAuth2PasswordBearer
|
||||||
from kiwi_vpn_api.db.tag import TagValue
|
|
||||||
|
|
||||||
from ..config import Config, Settings
|
from ..config import Config, Settings
|
||||||
from ..db import Device, User
|
from ..db import Device, User
|
||||||
|
@ -41,8 +40,8 @@ class Responses:
|
||||||
"description": "Must be admin",
|
"description": "Must be admin",
|
||||||
"content": None,
|
"content": None,
|
||||||
}
|
}
|
||||||
PERMISSION_ERROR = {
|
NEEDS_PERMISSION = {
|
||||||
"description": "You're not allowed that action",
|
"description": "You're not allowed that operation",
|
||||||
"content": None,
|
"content": None,
|
||||||
}
|
}
|
||||||
ENTRY_EXISTS = {
|
ENTRY_EXISTS = {
|
||||||
|
@ -53,10 +52,6 @@ class Responses:
|
||||||
"description": "Entry does not exist in database",
|
"description": "Entry does not exist in database",
|
||||||
"content": None,
|
"content": None,
|
||||||
}
|
}
|
||||||
CANT_TARGET_SELF = {
|
|
||||||
"description": "Operation can't target yourself",
|
|
||||||
"content": None,
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
async def get_current_user(
|
async def get_current_user(
|
||||||
|
@ -81,19 +76,6 @@ async def get_current_user(
|
||||||
return user
|
return user
|
||||||
|
|
||||||
|
|
||||||
async def get_current_user_if_admin(
|
|
||||||
current_user: User = Depends(get_current_user),
|
|
||||||
) -> User:
|
|
||||||
"""
|
|
||||||
Fail if the currently logged-in user is not an admin.
|
|
||||||
"""
|
|
||||||
|
|
||||||
if current_user.has_tag(TagValue.admin):
|
|
||||||
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
|
||||||
|
|
||||||
return current_user
|
|
||||||
|
|
||||||
|
|
||||||
async def get_user_by_name(
|
async def get_user_by_name(
|
||||||
user_name: str,
|
user_name: str,
|
||||||
current_config: Config | None = Depends(Config.load),
|
current_config: Config | None = Depends(Config.load),
|
||||||
|
|
|
@ -8,7 +8,7 @@ from sqlmodel import select
|
||||||
|
|
||||||
from ..config import Config
|
from ..config import Config
|
||||||
from ..db import Connection, TagValue, User, UserCreate
|
from ..db import Connection, TagValue, User, UserCreate
|
||||||
from ._common import Responses, get_current_user_if_admin
|
from ._common import Responses, get_current_user
|
||||||
|
|
||||||
router = APIRouter(prefix="/admin", tags=["admin"])
|
router = APIRouter(prefix="/admin", tags=["admin"])
|
||||||
|
|
||||||
|
@ -79,12 +79,16 @@ async def create_initial_admin(
|
||||||
)
|
)
|
||||||
async def set_config(
|
async def set_config(
|
||||||
config: Config,
|
config: Config,
|
||||||
_: User = Depends(get_current_user_if_admin),
|
current_user: User = Depends(get_current_user),
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
PUT ./config: Edit `kiwi-vpn` main config.
|
PUT ./config: Edit `kiwi-vpn` main config.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
# check permissions
|
||||||
|
if not current_user.has_tag(TagValue.admin):
|
||||||
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
# update config file, reconnect to database
|
# update config file, reconnect to database
|
||||||
config.save()
|
config.save()
|
||||||
Connection.connect(config.db.uri)
|
Connection.connect(config.db.uri)
|
||||||
|
|
|
@ -17,7 +17,7 @@ router = APIRouter(prefix="/device", tags=["device"])
|
||||||
status.HTTP_200_OK: Responses.OK,
|
status.HTTP_200_OK: Responses.OK,
|
||||||
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
||||||
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
||||||
status.HTTP_403_FORBIDDEN: Responses.PERMISSION_ERROR,
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
||||||
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
||||||
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
||||||
},
|
},
|
||||||
|
|
|
@ -8,8 +8,7 @@ from pydantic import BaseModel
|
||||||
|
|
||||||
from ..config import Config
|
from ..config import Config
|
||||||
from ..db import TagValue, User, UserCreate, UserRead
|
from ..db import TagValue, User, UserCreate, UserRead
|
||||||
from ._common import (Responses, get_current_user, get_current_user_if_admin,
|
from ._common import Responses, get_current_user, get_user_by_name
|
||||||
get_user_by_name)
|
|
||||||
|
|
||||||
router = APIRouter(prefix="/user", tags=["user"])
|
router = APIRouter(prefix="/user", tags=["user"])
|
||||||
|
|
||||||
|
@ -54,7 +53,7 @@ async def login(
|
||||||
|
|
||||||
|
|
||||||
@router.get("/current", response_model=UserRead)
|
@router.get("/current", response_model=UserRead)
|
||||||
async def get_current_user(
|
async def get_current_user_route(
|
||||||
current_user: User = Depends(get_current_user),
|
current_user: User = Depends(get_current_user),
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
|
@ -77,13 +76,17 @@ async def get_current_user(
|
||||||
)
|
)
|
||||||
async def add_user(
|
async def add_user(
|
||||||
user: UserCreate,
|
user: UserCreate,
|
||||||
_: User = Depends(get_current_user_if_admin),
|
current_user: User = Depends(get_current_user),
|
||||||
) -> User:
|
) -> User:
|
||||||
"""
|
"""
|
||||||
POST ./: Create a new user in the database.
|
POST ./: Create a new user in the database.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# actually create the new user
|
# check permissions
|
||||||
|
if not current_user.can_create(User):
|
||||||
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
|
# create the new user
|
||||||
new_user = User.create(user=user)
|
new_user = User.create(user=user)
|
||||||
|
|
||||||
# fail if creation was unsuccessful
|
# fail if creation was unsuccessful
|
||||||
|
@ -103,23 +106,22 @@ async def add_user(
|
||||||
status.HTTP_200_OK: Responses.OK,
|
status.HTTP_200_OK: Responses.OK,
|
||||||
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
||||||
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
||||||
status.HTTP_403_FORBIDDEN: Responses.NEEDS_ADMIN,
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
||||||
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
||||||
status.HTTP_406_NOT_ACCEPTABLE: Responses.CANT_TARGET_SELF,
|
|
||||||
},
|
},
|
||||||
response_model=User,
|
response_model=User,
|
||||||
)
|
)
|
||||||
async def remove_user(
|
async def remove_user(
|
||||||
current_user: User = Depends(get_current_user_if_admin),
|
current_user: User = Depends(get_current_user),
|
||||||
user: User = Depends(get_user_by_name),
|
user: User = Depends(get_user_by_name),
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
DELETE ./{user_name}: Remove a user from the database.
|
DELETE ./{user_name}: Remove a user from the database.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# stop inting
|
# check permissions
|
||||||
if current_user.name == user.name:
|
if not current_user.can_admin(user):
|
||||||
raise HTTPException(status_code=status.HTTP_406_NOT_ACCEPTABLE)
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
# delete user
|
# delete user
|
||||||
user.delete()
|
user.delete()
|
||||||
|
@ -136,15 +138,19 @@ async def remove_user(
|
||||||
)
|
)
|
||||||
async def extend_tags(
|
async def extend_tags(
|
||||||
tags: list[TagValue],
|
tags: list[TagValue],
|
||||||
_: User = Depends(get_current_user_if_admin),
|
current_user: User = Depends(get_current_user),
|
||||||
user: User = Depends(get_user_by_name),
|
user: User = Depends(get_user_by_name),
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
POST ./{user_name}/tags: Add tags to a user.
|
POST ./{user_name}/tags: Add tags to a user.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
user.add_tags(tags)
|
# check permissions
|
||||||
|
if not current_user.can_admin(user):
|
||||||
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
|
# change user
|
||||||
|
user.add_tags(tags)
|
||||||
user.update()
|
user.update()
|
||||||
|
|
||||||
|
|
||||||
|
@ -159,13 +165,17 @@ async def extend_tags(
|
||||||
)
|
)
|
||||||
async def remove_tags(
|
async def remove_tags(
|
||||||
tags: list[TagValue],
|
tags: list[TagValue],
|
||||||
_: User = Depends(get_current_user_if_admin),
|
current_user: User = Depends(get_current_user),
|
||||||
user: User = Depends(get_user_by_name),
|
user: User = Depends(get_user_by_name),
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
DELETE ./{user_name}/tags: Remove tags from a user.
|
DELETE ./{user_name}/tags: Remove tags from a user.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
user.remove_tags(tags)
|
# check permissions
|
||||||
|
if not current_user.can_admin(user):
|
||||||
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
|
# change user
|
||||||
|
user.remove_tags(tags)
|
||||||
user.update()
|
user.update()
|
||||||
|
|
Loading…
Reference in a new issue