fix: add allowed_views in more get routes

e67ac230 · robban64 · 805ddf8c · e67ac230 · e67ac230 · e67ac230
Commit e67ac230 authored 4 years ago by robban64
--- a/server/app/apis/alternatives.py
+++ b/server/app/apis/alternatives.py
@@ -17,7 +17,7 @@ question_alternative_parser.add_argument("value", type=int, default=None, locati
 @api.route("")
 @api.param("competition_id, slide_id, question_id")
 class QuestionAlternativeList(Resource):
-    @protect_route(allowed_roles=["*"], allowed_views=["Team", "Judge"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
    def get(self, competition_id, slide_id, question_id):
        items = dbc.get.question_alternative_list(competition_id, slide_id, question_id)
        return list_response(list_schema.dump(items))
@@ -32,7 +32,7 @@ class QuestionAlternativeList(Resource):
 @api.route("/<alternative_id>")
 @api.param("competition_id, slide_id, question_id, alternative_id")
 class QuestionAlternatives(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
    def get(self, competition_id, slide_id, question_id, alternative_id):
        items = dbc.get.question_alternative(competition_id, slide_id, question_id, alternative_id)
        return item_response(schema.dump(items))

--- a/server/app/apis/auth.py
+++ b/server/app/apis/auth.py
@@ -12,6 +12,8 @@ from flask_jwt_extended import (
 )
 from flask_restx import Resource
 from flask_restx import inputs, reqparse
+from datetime import timedelta
+from app.core import sockets
 api = AuthDTO.api
 schema = AuthDTO.schema
@@ -90,11 +92,16 @@ class AuthLoginCode(Resource):
        code = args["code"]
        if not verify_code(code):
-            api.abort(codes.BAD_REQUEST, "Invalid code")
+            api.abort(codes.UNAUTHORIZED, "Invalid code")
        item_code = dbc.get.code_by_code(code)
-        access_token = create_access_token(item_code.id, user_claims=get_code_claims(item_code))
+        if item_code.competition_id not in sockets.presentations:
+            api.abort(codes.UNAUTHORIZED, "Competition not active")
+        access_token = create_access_token(
+            item_code.id, user_claims=get_code_claims(item_code), expires_delta=timedelta(hours=8)
+        )
        response = {
            "competition_id": item_code.competition_id,
@@ -107,11 +114,11 @@ class AuthLoginCode(Resource):
 @api.route("/logout")
 class AuthLogout(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
    def post(self):
        jti = get_raw_jwt()["jti"]
        dbc.add.blacklist(jti)
-        return text_response("User logout")
+        return text_response("Logout")
 @api.route("/refresh")

--- a/server/app/apis/components.py
+++ b/server/app/apis/components.py
@@ -27,7 +27,7 @@ component_create_parser.add_argument("type_id", type=int, required=True, locatio
 @api.route("/<component_id>")
 @api.param("competition_id, slide_id, component_id")
 class ComponentByID(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
    def get(self, competition_id, slide_id, component_id):
        item = dbc.get.component(competition_id, slide_id, component_id)
        return item_response(schema.dump(item))
@@ -50,7 +50,7 @@ class ComponentByID(Resource):
 @api.route("")
 @api.param("competition_id, slide_id")
 class ComponentList(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
    def get(self, competition_id, slide_id):
        items = dbc.get.component_list(competition_id, slide_id)
        return list_response(list_schema.dump(items))

--- a/server/app/apis/media.py
+++ b/server/app/apis/media.py
@@ -48,7 +48,7 @@ class ImageList(Resource):
 @api.route("/images/<ID>")
 @api.param("ID")
 class ImageList(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
    def get(self, ID):
        item = dbc.get.one(Media, ID)
        return item_response(schema.dump(item))

--- a/server/app/apis/misc.py
+++ b/server/app/apis/misc.py
@@ -23,7 +23,7 @@ name_parser.add_argument("name", type=str, required=True, location="json")
 @api.route("/types")
 class TypesList(Resource):
-    @protect_route(allowed_roles=["*"])
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
    def get(self):
        result = {}
        result["media_types"] = media_type_schema.dump(dbc.get.all(MediaType))

--- a/server/app/database/controller/add.py
+++ b/server/app/database/controller/add.py
@@ -151,9 +151,13 @@ def competition(name, year, city_id):
    # Add code for Judge view
    code(2, item_competition.id)
    # Add code for Audience view
    code(3, item_competition.id)
+    # Add code for Operator view
+    code(4, item_competition.id)
    item_competition = utils.refresh(item_competition)
    return item_competition

--- a/server/tests/test_app.py
+++ b/server/tests/test_app.py
@@ -5,6 +5,7 @@ This file tests the api function calls.
 import app.core.http_codes as codes
 from app.database.controller.add import competition
 from app.database.models import Slide
+from app.core import sockets
 from tests import app, client, db
 from tests.test_helpers import add_default_values, change_order_test, delete, get, post, put
@@ -391,6 +392,9 @@ def test_question_api(client):
 def test_authorization(client):
    add_default_values()
+    # Fake that competition 1 is active
+    sockets.presentations[1] = {}
    #### TEAM ####
    # Login in with team code
    response, body = post(client, "/api/auth/login/code", {"code": "111111"})