Add authentication for update/delete endpoints
This commit is contained in:
Peter Stockings
26
app.py
26
app.py
@@ -1,10 +1,11 @@
|
||||
from datetime import date
|
||||
import os
|
||||
from flask import Flask, abort, render_template, redirect, request, url_for
|
||||
from flask_login import LoginManager
|
||||
from flask_login import LoginManager, login_required
|
||||
import jinja_partials
|
||||
from jinja2_fragments import render_block
|
||||
from decorators import validate_person, validate_topset, validate_workout
|
||||
from decorators import (validate_person, validate_topset, validate_workout,
|
||||
require_ownership, get_auth_message, get_person_id_from_context)
|
||||
from routes.auth import auth, get_person_by_id
|
||||
from routes.changelog import changelog_bp
|
||||
from routes.calendar import calendar_bp # Import the new calendar blueprint
|
||||
@@ -40,6 +41,17 @@ login_manager.login_message_category = 'info'
|
||||
def load_user(person_id):
|
||||
return get_person_by_id(person_id)
|
||||
|
||||
@login_manager.unauthorized_handler
|
||||
def unauthorized():
|
||||
from flask import flash
|
||||
person_id = get_person_id_from_context()
|
||||
msg = get_auth_message(request.endpoint, person_id)
|
||||
flash(msg, "info")
|
||||
|
||||
if request.headers.get('HX-Request'):
|
||||
return '', 200, {'HX-Redirect': url_for('auth.login')}
|
||||
return redirect(url_for('auth.login'))
|
||||
|
||||
app.register_blueprint(auth, url_prefix='/auth')
|
||||
app.register_blueprint(changelog_bp, url_prefix='/changelog')
|
||||
app.register_blueprint(calendar_bp) # Register the calendar blueprint
|
||||
@@ -144,6 +156,7 @@ def person_overview(person_id):
|
||||
return render_template('person_overview.html', **render_args), 200, {"HX-Push-Url": url_for('person_overview', person_id=person_id, min_date=min_date, max_date=max_date, exercise_id=selected_exercise_ids), "HX-Trigger": "refreshStats"}
|
||||
|
||||
@ app.route("/person", methods=['POST'])
|
||||
@login_required
|
||||
def create_person():
|
||||
name = request.form.get("name")
|
||||
new_person_id = db.create_person(name)
|
||||
@@ -151,18 +164,27 @@ def create_person():
|
||||
|
||||
|
||||
@ app.route("/person/<int:person_id>/delete", methods=['DELETE'])
|
||||
@login_required
|
||||
@validate_person
|
||||
@require_ownership
|
||||
def delete_person(person_id):
|
||||
db.delete_person(person_id)
|
||||
return "", 200, {"HX-Trigger": "updatedPeople"}
|
||||
|
||||
|
||||
@ app.route("/person/<int:person_id>/edit_form", methods=['GET'])
|
||||
@login_required
|
||||
@validate_person
|
||||
@require_ownership
|
||||
def get_person_edit_form(person_id):
|
||||
name = db.get_person_name(person_id)
|
||||
return render_template('partials/person.html', person_id=person_id, name=name, is_edit=True)
|
||||
|
||||
|
||||
@ app.route("/person/<int:person_id>/name", methods=['PUT'])
|
||||
@login_required
|
||||
@validate_person
|
||||
@require_ownership
|
||||
def update_person_name(person_id):
|
||||
new_name = request.form.get("name")
|
||||
db.update_person_name(person_id, new_name)
|
||||
|
||||
Reference in New Issue
Block a user