41 lines
1.4 KiB
Python
41 lines
1.4 KiB
Python
from functools import wraps
|
|
from flask import g, session, redirect, url_for, request, jsonify
|
|
from app.db import query_one
|
|
|
|
|
|
def login_required(f):
|
|
"""Decorator to require authentication."""
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
if "user_id" not in session:
|
|
return redirect(url_for("auth.login", next=request.url))
|
|
return f(*args, **kwargs)
|
|
return decorated_function
|
|
|
|
|
|
def get_current_user():
|
|
"""Get the current logged-in user (cached per-request on g)."""
|
|
if "current_user" in g:
|
|
return g.current_user
|
|
user_id = session.get("user_id")
|
|
if user_id is None:
|
|
return None
|
|
g.current_user = query_one("SELECT * FROM users WHERE id = %s", (user_id,))
|
|
return g.current_user
|
|
|
|
|
|
def privacy_guard(f):
|
|
"""Decorator for API endpoints that take a user_id parameter.
|
|
|
|
If the requested user is private and is not the current session user,
|
|
returns an empty JSON response instead of the actual data.
|
|
"""
|
|
@wraps(f)
|
|
def decorated_function(user_id, *args, **kwargs):
|
|
if user_id != session.get("user_id"):
|
|
target = query_one("SELECT is_private FROM users WHERE id = %s", (user_id,))
|
|
if target and target["is_private"]:
|
|
return jsonify({})
|
|
return f(user_id, *args, **kwargs)
|
|
return decorated_function
|