fix: Make event-invoices endpoint admin only (#7096)

fossasia · Jun 30, 2020 · 2d36e03 · 2d36e03
1 parent 1169f10
commit 2d36e03
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/app/api/event_invoices.py b/app/api/event_invoices.py
@@ -1,11 +1,12 @@
 import datetime
 
 from flask import jsonify, request
+from flask_jwt_extended import current_user
 from flask_rest_jsonapi import ResourceDetail, ResourceList, ResourceRelationship
 
 from app.api.bootstrap import api
 from app.api.helpers.db import safe_query, safe_query_kwargs, save_to_db
-from app.api.helpers.errors import BadRequestError
+from app.api.helpers.errors import BadRequestError, ForbiddenError
 from app.api.helpers.payment import PayPalPaymentsManager
 from app.api.helpers.permissions import is_admin, jwt_required
 from app.api.helpers.query import event_query
@@ -39,6 +40,10 @@ def query(self, view_kwargs):
         :param view_kwargs:
         :return:
         """
+        user = current_user
+        if not user.is_staff:
+            raise ForbiddenError({'source': ''}, 'Admin access is required')
+
         query_ = self.session.query(EventInvoice)
         query_ = event_query(query_, view_kwargs)
         if view_kwargs.get('user_id'):

diff --git a/app/api/helpers/permission_manager.py b/app/api/helpers/permission_manager.py
@@ -23,7 +23,8 @@ def auth_required(view, view_args, view_kwargs, *args, **kwargs):
 def is_super_admin(view, view_args, view_kwargs, *args, **kwargs):
     """
     Permission function for things allowed exclusively to super admin.
-    Do not use this if the resource is also accessible by a normal admin, use the is_admin decorator instead.
+    Do not use this if the resource is also accessible by a normal admin,
+    use the is_admin decorator instead.
     :return:
     """
     user = current_user
@@ -61,7 +62,8 @@ def is_organizer(view, view_args, view_kwargs, *args, **kwargs):
     if user.is_staff:
         return view(*view_args, **view_kwargs)
 
-    if user.is_owner(kwargs['event_id']) or user.is_organizer(kwargs['event_id']):
+    event_id = kwargs.get('event_id')
+    if event_id and (user.is_owner(event_id) or user.is_organizer(event_id)):
         return view(*view_args, **view_kwargs)
 
     raise ForbiddenError({'source': ''}, 'Organizer access is required')
@@ -94,7 +96,8 @@ def is_coorganizer_endpoint_related_to_event(
     view, view_args, view_kwargs, *args, **kwargs
 ):
     """
-     If the authorization header is present (but expired) and the event being accessed is not published
+     If the authorization header is present (but expired)
+     and the eventbeing accessed is not published
      - And the user is related to the event (organizer, co-organizer etc) show a 401
      - Else show a 404
 
@@ -380,7 +383,7 @@ def permission_manager(view, view_args, view_kwargs, *args, **kwargs):
     if 'id' in kwargs:
         view_kwargs['id'] = kwargs['id']
 
-    if 'methods' in kwargs:
+    if kwargs.get('methods'):
         methods = kwargs['methods']
 
     if request.method not in methods:
@@ -452,16 +455,16 @@ def permission_manager(view, view_args, view_kwargs, *args, **kwargs):
             fetch = kwargs['fetch']
             fetch_key_url = 'id'
             fetch_key_model = 'id'
-            if 'fetch_key_url' in kwargs:
+            if kwargs.get('fetch_key_url'):
                 fetch_key_url = kwargs['fetch_key_url']
 
-            if 'fetch_key_model' in kwargs:
+            if kwargs.get('fetch_key_model'):
                 fetch_key_model = kwargs['fetch_key_model']
 
             if not is_multiple(model):
                 model = [model]
 
-            if type(fetch_key_url) == str and is_multiple(fetch_key_url):
+            if isinstance(fetch_key_url, str) and is_multiple(fetch_key_url):
                 fetch_key_url = fetch_key_url.split(  # pytype: disable=attribute-error
                     ","
                 )
@@ -505,8 +508,7 @@ def permission_manager(view, view_args, view_kwargs, *args, **kwargs):
             raise NotFoundError({'source': ''}, 'Object not found.')
     if args[0] in permissions:
         return permissions[args[0]](view, view_args, view_kwargs, *args, **kwargs)
-    else:
-        raise ForbiddenError({'source': ''}, 'Access forbidden')
+    raise ForbiddenError({'source': ''}, 'Access forbidden')
 
 
 def has_access(access_level, **kwargs):