Add authentication for update/delete endpoints

routes/programs.py

@@ -1,6 +1,6 @@
 from flask import Blueprint, render_template, request, redirect, url_for, current_app
 from extensions import db
-# from flask_login import login_required, current_user # Add if authentication is needed
+from flask_login import login_required, current_user 
 from jinja2_fragments import render_block # Import render_block
 
 programs_bp = Blueprint('programs', __name__, url_prefix='/programs')
@@ -8,7 +8,7 @@ programs_bp = Blueprint('programs', __name__, url_prefix='/programs')
 from flask import flash # Import flash for displaying messages
 
 @programs_bp.route('/create', methods=['GET', 'POST'])
-# @login_required # Uncomment if login is required
+@login_required
 def create_program():
     if request.method == 'POST':
         program_name = request.form.get('program_name', '').strip()
@@ -157,7 +157,7 @@ def list_programs():
 
 
 @programs_bp.route('/<int:program_id>/delete', methods=['DELETE'])
-# @login_required # Add authentication if needed
+@login_required
 def delete_program(program_id):
     """Deletes a workout program and its associated sessions/assignments."""
     try:

routes/tags.py

@@ -1,8 +1,9 @@
 from flask import Blueprint, request, redirect, url_for, render_template, current_app
 from urllib.parse import urlencode, parse_qs, unquote_plus
-from flask_login import current_user
+from flask_login import current_user, login_required
 from extensions import db
 from jinja2_fragments import render_block
+from decorators import validate_person, validate_workout, require_ownership
 
 tags_bp = Blueprint('tags', __name__, url_prefix='/tag')
 
@@ -54,6 +55,8 @@ def goto_tag():
 
 
 @tags_bp.route("/add", methods=['POST']) # Changed to POST
+@login_required
+@require_ownership
 def add_tag():
     """Adds a tag and returns the updated tags partial."""
     person_id = request.form.get("person_id") # Get from form data
@@ -85,6 +88,8 @@ def add_tag():
 
 
 @tags_bp.route("/<int:tag_id>/delete", methods=['DELETE']) # Changed to DELETE
+@login_required
+@require_ownership
 def delete_tag(tag_id):
     """Deletes a tag and returns the updated tags partial."""
     # We might get person_id from request body/headers if needed, or assume context
@@ -105,6 +110,9 @@ def delete_tag(tag_id):
 # --- Workout Specific Tag Routes ---
 
 @tags_bp.route("/workout/<int:workout_id>/add", methods=['POST'])
+@login_required
+@validate_workout
+@require_ownership
 def add_tag_to_workout(workout_id):
     """Adds existing tags to a specific workout."""
     # Note: Authorization (checking if the current user can modify this workout) might be needed here.
@@ -181,6 +189,9 @@ def add_tag_to_workout(workout_id):
     return render_template('partials/workout_tags_list.html', tags=all_person_tags, person_id=person_id, workout_id=workout_id)
 
 @tags_bp.route("/workout/<int:workout_id>/new", methods=['POST'])
+@login_required
+@validate_workout
+@require_ownership
 def create_new_tag_for_workout(workout_id):
     """Creates a new tag and associates it with a specific workout."""
     # Note: Authorization might be needed here.

routes/workout.py

@@ -1,8 +1,9 @@
 from flask import Blueprint, render_template, redirect, url_for, request, current_app
 from jinja2_fragments import render_block
 from flask_htmx import HTMX
+from flask_login import login_required
 from extensions import db
-from decorators import validate_workout, validate_topset
+from decorators import validate_workout, validate_topset, require_ownership, validate_person
 from utils import convert_str_to_date
 from collections import defaultdict # Import defaultdict
 
@@ -129,6 +130,9 @@ def _get_workout_view_model(person_id, workout_id):
 # --- Routes ---
 
 @workout_bp.route("/person/<int:person_id>/workout", methods=['POST'])
+@login_required
+@validate_person
+@require_ownership
 def create_workout(person_id):
     new_workout_id = db.create_workout(person_id)
     # Use the local helper function to get the view model
@@ -139,13 +143,17 @@ def create_workout(person_id):
     return render_block(current_app.jinja_env, 'workout.html', 'content', **view_model)
 
 @workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/delete", methods=['GET'])
+@login_required
 @validate_workout
+@require_ownership
 def delete_workout(person_id, workout_id):
     db.delete_workout(workout_id)
     return redirect(url_for('calendar.get_calendar', person_id=person_id))
 
 @workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/start_date_edit_form", methods=['GET'])
+@login_required
 @validate_workout
+@require_ownership
 def get_workout_start_date_edit_form(person_id, workout_id):
     # Fetch only the necessary data (start_date)
     workout = db.execute("SELECT start_date FROM workout WHERE workout_id = %s", [workout_id], one=True)
@@ -153,7 +161,9 @@ def get_workout_start_date_edit_form(person_id, workout_id):
     return render_template('partials/start_date.html', person_id=person_id, workout_id=workout_id, start_date=start_date, is_edit=True)
 
 @workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/start_date", methods=['PUT'])
+@login_required
 @validate_workout
+@require_ownership
 def update_workout_start_date(person_id, workout_id):
     new_start_date_str = request.form.get('start-date')
     db.update_workout_start_date(workout_id, new_start_date_str)
@@ -176,14 +186,18 @@ def get_topset(person_id, workout_id, topset_id):
     return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=topset_id, exercise_id=topset.get('exercise_id'), exercise_name=topset.get('exercise_name'), repetitions=topset.get('repetitions'), weight=topset.get('weight'))
 
 @workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset/<int:topset_id>/edit_form", methods=['GET'])
+@login_required
 @validate_topset
+@require_ownership
 def get_topset_edit_form(person_id, workout_id, topset_id):
     exercises = db.get_all_exercises()
     topset = db.get_topset(topset_id)
     return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=topset_id, exercises=exercises, exercise_id=topset.get('exercise_id'), exercise_name=topset.get('exercise_name'), repetitions=topset.get('repetitions'), weight=topset.get('weight'), is_edit=True)
 
 @workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset", methods=['POST'])
+@login_required
 @validate_workout
+@require_ownership
 def create_topset(person_id, workout_id):
     exercise_id = request.form.get("exercise_id")
     repetitions = request.form.get("repetitions")
@@ -193,7 +207,9 @@ def create_topset(person_id, workout_id):
     return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=new_topset_id, exercise_id=exercise_id, exercise_name=exercise.get('name'), repetitions=repetitions, weight=weight), 200, {"HX-Trigger": "topsetAdded"}
 
 @workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset/<int:topset_id>", methods=['PUT'])
+@login_required
 @validate_workout
+@require_ownership
 def update_topset(person_id, workout_id, topset_id):
     exercise_id = request.form.get("exercise_id")
     repetitions = request.form.get("repetitions")
@@ -203,7 +219,9 @@ def update_topset(person_id, workout_id, topset_id):
     return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=topset_id, exercise_name=exercise.get('name'), repetitions=repetitions, weight=weight)
 
 @workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset/<int:topset_id>/delete", methods=['DELETE'])
+@login_required
 @validate_topset
+@require_ownership
 def delete_topset(person_id, workout_id, topset_id):
     db.delete_topset(topset_id)
     return ""