Add authentication for update/delete endpoints
This commit is contained in:
Peter Stockings
@@ -1,8 +1,9 @@
|
||||
from flask import Blueprint, render_template, redirect, url_for, request, current_app
|
||||
from jinja2_fragments import render_block
|
||||
from flask_htmx import HTMX
|
||||
from flask_login import login_required
|
||||
from extensions import db
|
||||
from decorators import validate_workout, validate_topset
|
||||
from decorators import validate_workout, validate_topset, require_ownership, validate_person
|
||||
from utils import convert_str_to_date
|
||||
from collections import defaultdict # Import defaultdict
|
||||
|
||||
@@ -129,6 +130,9 @@ def _get_workout_view_model(person_id, workout_id):
|
||||
# --- Routes ---
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout", methods=['POST'])
|
||||
@login_required
|
||||
@validate_person
|
||||
@require_ownership
|
||||
def create_workout(person_id):
|
||||
new_workout_id = db.create_workout(person_id)
|
||||
# Use the local helper function to get the view model
|
||||
@@ -139,13 +143,17 @@ def create_workout(person_id):
|
||||
return render_block(current_app.jinja_env, 'workout.html', 'content', **view_model)
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/delete", methods=['GET'])
|
||||
@login_required
|
||||
@validate_workout
|
||||
@require_ownership
|
||||
def delete_workout(person_id, workout_id):
|
||||
db.delete_workout(workout_id)
|
||||
return redirect(url_for('calendar.get_calendar', person_id=person_id))
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/start_date_edit_form", methods=['GET'])
|
||||
@login_required
|
||||
@validate_workout
|
||||
@require_ownership
|
||||
def get_workout_start_date_edit_form(person_id, workout_id):
|
||||
# Fetch only the necessary data (start_date)
|
||||
workout = db.execute("SELECT start_date FROM workout WHERE workout_id = %s", [workout_id], one=True)
|
||||
@@ -153,7 +161,9 @@ def get_workout_start_date_edit_form(person_id, workout_id):
|
||||
return render_template('partials/start_date.html', person_id=person_id, workout_id=workout_id, start_date=start_date, is_edit=True)
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/start_date", methods=['PUT'])
|
||||
@login_required
|
||||
@validate_workout
|
||||
@require_ownership
|
||||
def update_workout_start_date(person_id, workout_id):
|
||||
new_start_date_str = request.form.get('start-date')
|
||||
db.update_workout_start_date(workout_id, new_start_date_str)
|
||||
@@ -176,14 +186,18 @@ def get_topset(person_id, workout_id, topset_id):
|
||||
return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=topset_id, exercise_id=topset.get('exercise_id'), exercise_name=topset.get('exercise_name'), repetitions=topset.get('repetitions'), weight=topset.get('weight'))
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset/<int:topset_id>/edit_form", methods=['GET'])
|
||||
@login_required
|
||||
@validate_topset
|
||||
@require_ownership
|
||||
def get_topset_edit_form(person_id, workout_id, topset_id):
|
||||
exercises = db.get_all_exercises()
|
||||
topset = db.get_topset(topset_id)
|
||||
return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=topset_id, exercises=exercises, exercise_id=topset.get('exercise_id'), exercise_name=topset.get('exercise_name'), repetitions=topset.get('repetitions'), weight=topset.get('weight'), is_edit=True)
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset", methods=['POST'])
|
||||
@login_required
|
||||
@validate_workout
|
||||
@require_ownership
|
||||
def create_topset(person_id, workout_id):
|
||||
exercise_id = request.form.get("exercise_id")
|
||||
repetitions = request.form.get("repetitions")
|
||||
@@ -193,7 +207,9 @@ def create_topset(person_id, workout_id):
|
||||
return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=new_topset_id, exercise_id=exercise_id, exercise_name=exercise.get('name'), repetitions=repetitions, weight=weight), 200, {"HX-Trigger": "topsetAdded"}
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset/<int:topset_id>", methods=['PUT'])
|
||||
@login_required
|
||||
@validate_workout
|
||||
@require_ownership
|
||||
def update_topset(person_id, workout_id, topset_id):
|
||||
exercise_id = request.form.get("exercise_id")
|
||||
repetitions = request.form.get("repetitions")
|
||||
@@ -203,7 +219,9 @@ def update_topset(person_id, workout_id, topset_id):
|
||||
return render_template('partials/topset.html', person_id=person_id, workout_id=workout_id, topset_id=topset_id, exercise_name=exercise.get('name'), repetitions=repetitions, weight=weight)
|
||||
|
||||
@workout_bp.route("/person/<int:person_id>/workout/<int:workout_id>/topset/<int:topset_id>/delete", methods=['DELETE'])
|
||||
@login_required
|
||||
@validate_topset
|
||||
@require_ownership
|
||||
def delete_topset(person_id, workout_id, topset_id):
|
||||
db.delete_topset(topset_id)
|
||||
return ""
|
||||
|
||||
Reference in New Issue
Block a user