mirror of
https://github.com/rzmk/learnhouse.git
synced 2025-12-19 04:19:25 +00:00
feat: verify org_id for courses & lectures
This commit is contained in:
swve
parent
48cf26790a
commit
98b470f2ab
5 changed files with 55 additions and 50 deletions
|
|
@ -49,6 +49,7 @@ async def api_get_course_by(request: Request,page: int, limit: int, org_id: str)
|
||||||
"""
|
"""
|
||||||
return await get_courses(request, page, limit, org_id)
|
return await get_courses(request, page, limit, org_id)
|
||||||
|
|
||||||
|
|
||||||
@router.get("/org_slug/{org_slug}/page/{page}/limit/{limit}")
|
@router.get("/org_slug/{org_slug}/page/{page}/limit/{limit}")
|
||||||
async def api_get_course_by_orgslug(request: Request, page: int, limit: int, org_slug: str):
|
async def api_get_course_by_orgslug(request: Request, page: int, limit: int, org_slug: str):
|
||||||
"""
|
"""
|
||||||
|
|
|
||||||
|
|
@ -7,15 +7,15 @@ router = APIRouter()
|
||||||
|
|
||||||
|
|
||||||
@router.post("/")
|
@router.post("/")
|
||||||
async def api_create_lecture(request: Request,lecture_object: Lecture, coursechapter_id: str, current_user: PublicUser = Depends(get_current_user)):
|
async def api_create_lecture(request: Request, lecture_object: Lecture, org_id: str, coursechapter_id: str, current_user: PublicUser = Depends(get_current_user)):
|
||||||
"""
|
"""
|
||||||
Create new lecture
|
Create new lecture
|
||||||
"""
|
"""
|
||||||
return await create_lecture(request,lecture_object, coursechapter_id, current_user)
|
return await create_lecture(request, lecture_object, org_id, coursechapter_id, current_user)
|
||||||
|
|
||||||
|
|
||||||
@router.get("/{lecture_id}")
|
@router.get("/{lecture_id}")
|
||||||
async def api_get_lecture(request: Request,lecture_id: str, current_user: PublicUser = Depends(get_current_user)):
|
async def api_get_lecture(request: Request, lecture_id: str, org_id: str, current_user: PublicUser = Depends(get_current_user)):
|
||||||
"""
|
"""
|
||||||
Get single lecture by lecture_id
|
Get single lecture by lecture_id
|
||||||
"""
|
"""
|
||||||
|
|
@ -39,15 +39,17 @@ async def api_update_lecture(request: Request,lecture_object: Lecture, lecture_i
|
||||||
|
|
||||||
|
|
||||||
@router.delete("/{lecture_id}")
|
@router.delete("/{lecture_id}")
|
||||||
async def api_delete_lecture(request: Request,lecture_id: str, current_user: PublicUser = Depends(get_current_user)):
|
async def api_delete_lecture(request: Request, lecture_id: str, org_id: str, current_user: PublicUser = Depends(get_current_user)):
|
||||||
"""
|
"""
|
||||||
Delete lecture by lecture_id
|
Delete lecture by lecture_id
|
||||||
"""
|
"""
|
||||||
return await delete_lecture(request, lecture_id, current_user)
|
return await delete_lecture(request, lecture_id, current_user)
|
||||||
|
|
||||||
# Video play
|
# Video play
|
||||||
|
|
||||||
|
|
||||||
@router.post("/video")
|
@router.post("/video")
|
||||||
async def api_create_video_lecture(request: Request,name: str = Form(), coursechapter_id: str = Form(), current_user: PublicUser = Depends(get_current_user), video_file: UploadFile | None = None):
|
async def api_create_video_lecture(request: Request, org_id: str, name: str = Form(), coursechapter_id: str = Form(), current_user: PublicUser = Depends(get_current_user), video_file: UploadFile | None = None):
|
||||||
"""
|
"""
|
||||||
Create new lecture
|
Create new lecture
|
||||||
"""
|
"""
|
||||||
|
|
|
||||||
|
|
@ -141,11 +141,8 @@ async def create_course(request: Request, course_object: Course, org_id: str, cu
|
||||||
|
|
||||||
# TODO(fix) : the implementation here is clearly not the best one (this entire function)
|
# TODO(fix) : the implementation here is clearly not the best one (this entire function)
|
||||||
course_object.org_id = org_id
|
course_object.org_id = org_id
|
||||||
hasRoleRights = await verify_user_rights_with_roles(request, "create", current_user.user_id, course_id)
|
await verify_user_rights_with_roles(request, "create", current_user.user_id, course_id,org_id)
|
||||||
|
|
||||||
if not hasRoleRights:
|
|
||||||
raise HTTPException(
|
|
||||||
status_code=status.HTTP_409_CONFLICT, detail="Roles : Insufficient rights to perform this action")
|
|
||||||
|
|
||||||
if thumbnail_file:
|
if thumbnail_file:
|
||||||
name_in_disk = f"{course_id}_thumbnail_{uuid4()}.{thumbnail_file.filename.split('.')[-1]}"
|
name_in_disk = f"{course_id}_thumbnail_{uuid4()}.{thumbnail_file.filename.split('.')[-1]}"
|
||||||
|
|
@ -290,7 +287,7 @@ async def verify_rights(request: Request, course_id: str, current_user: PublicUs
|
||||||
raise HTTPException(
|
raise HTTPException(
|
||||||
status_code=status.HTTP_409_CONFLICT, detail=f"Course/CourseChapter does not exist")
|
status_code=status.HTTP_409_CONFLICT, detail=f"Course/CourseChapter does not exist")
|
||||||
|
|
||||||
hasRoleRights = await verify_user_rights_with_roles(request, action, current_user.user_id, course_id)
|
hasRoleRights = await verify_user_rights_with_roles(request, action, current_user.user_id, course_id, course["org_id"])
|
||||||
isAuthor = current_user.user_id in course["authors"]
|
isAuthor = current_user.user_id in course["authors"]
|
||||||
|
|
||||||
if not hasRoleRights and not isAuthor:
|
if not hasRoleRights and not isAuthor:
|
||||||
|
|
|
||||||
|
|
@ -29,14 +29,14 @@ class LectureInDB(Lecture):
|
||||||
####################################################
|
####################################################
|
||||||
|
|
||||||
|
|
||||||
async def create_lecture(request: Request,lecture_object: Lecture, coursechapter_id: str, current_user: PublicUser):
|
async def create_lecture(request: Request, lecture_object: Lecture, org_id: str, coursechapter_id: str, current_user: PublicUser):
|
||||||
lectures = request.app.db["lectures"]
|
lectures = request.app.db["lectures"]
|
||||||
coursechapters = request.app.db["coursechapters"]
|
coursechapters = request.app.db["coursechapters"]
|
||||||
|
|
||||||
# generate lecture_id
|
# generate lecture_id
|
||||||
lecture_id = str(f"lecture_{uuid4()}")
|
lecture_id = str(f"lecture_{uuid4()}")
|
||||||
|
|
||||||
hasRoleRights = await verify_user_rights_with_roles(request, "create", current_user.user_id, lecture_id)
|
hasRoleRights = await verify_user_rights_with_roles(request, "create", current_user.user_id, lecture_id, org_id)
|
||||||
|
|
||||||
if not hasRoleRights:
|
if not hasRoleRights:
|
||||||
raise HTTPException(
|
raise HTTPException(
|
||||||
|
|
@ -60,7 +60,7 @@ async def get_lecture(request: Request,lecture_id: str, current_user: PublicUser
|
||||||
lecture = await lectures.find_one({"lecture_id": lecture_id})
|
lecture = await lectures.find_one({"lecture_id": lecture_id})
|
||||||
|
|
||||||
# verify course rights
|
# verify course rights
|
||||||
hasRoleRights = await verify_user_rights_with_roles(request,"read", current_user.user_id, lecture_id)
|
hasRoleRights = await verify_user_rights_with_roles(request, "read", current_user.user_id, lecture_id, element_org_id=lecture["org_id"])
|
||||||
|
|
||||||
if not hasRoleRights:
|
if not hasRoleRights:
|
||||||
raise HTTPException(
|
raise HTTPException(
|
||||||
|
|
@ -76,12 +76,11 @@ async def get_lecture(request: Request,lecture_id: str, current_user: PublicUser
|
||||||
|
|
||||||
async def update_lecture(request: Request, lecture_object: Lecture, lecture_id: str, current_user: PublicUser):
|
async def update_lecture(request: Request, lecture_object: Lecture, lecture_id: str, current_user: PublicUser):
|
||||||
|
|
||||||
# verify course rights
|
|
||||||
await verify_user_rights_with_roles(request, "update", current_user.user_id, lecture_id)
|
|
||||||
|
|
||||||
lectures = request.app.db["lectures"]
|
lectures = request.app.db["lectures"]
|
||||||
|
|
||||||
lecture = await lectures.find_one({"lecture_id": lecture_id})
|
lecture = await lectures.find_one({"lecture_id": lecture_id})
|
||||||
|
# verify course rights
|
||||||
|
await verify_user_rights_with_roles(request, "update", current_user.user_id, lecture_id, element_org_id=lecture["org_id"])
|
||||||
|
|
||||||
if lecture:
|
if lecture:
|
||||||
creationDate = lecture["creationDate"]
|
creationDate = lecture["creationDate"]
|
||||||
|
|
@ -104,13 +103,13 @@ async def update_lecture(request: Request,lecture_object: Lecture, lecture_id: s
|
||||||
|
|
||||||
async def delete_lecture(request: Request, lecture_id: str, current_user: PublicUser):
|
async def delete_lecture(request: Request, lecture_id: str, current_user: PublicUser):
|
||||||
|
|
||||||
# verify course rights
|
|
||||||
await verify_user_rights_with_roles(request,"delete", current_user.user_id, lecture_id)
|
|
||||||
|
|
||||||
lectures = request.app.db["lectures"]
|
lectures = request.app.db["lectures"]
|
||||||
|
|
||||||
lecture = await lectures.find_one({"lecture_id": lecture_id})
|
lecture = await lectures.find_one({"lecture_id": lecture_id})
|
||||||
|
|
||||||
|
# verify course rights
|
||||||
|
await verify_user_rights_with_roles(request, "delete", current_user.user_id, lecture_id, element_org_id=lecture["org_id"])
|
||||||
|
|
||||||
if not lecture:
|
if not lecture:
|
||||||
raise HTTPException(
|
raise HTTPException(
|
||||||
status_code=status.HTTP_409_CONFLICT, detail="lecture does not exist")
|
status_code=status.HTTP_409_CONFLICT, detail="lecture does not exist")
|
||||||
|
|
@ -131,8 +130,9 @@ async def delete_lecture(request: Request,lecture_id: str, current_user: PublicU
|
||||||
async def get_lectures(request: Request, coursechapter_id: str, current_user: PublicUser):
|
async def get_lectures(request: Request, coursechapter_id: str, current_user: PublicUser):
|
||||||
lectures = request.app.db["lectures"]
|
lectures = request.app.db["lectures"]
|
||||||
|
|
||||||
# verify course rights
|
# TODO : TERRIBLE SECURITY ISSUE HERE, NEED TO FIX ASAP
|
||||||
await verify_user_rights_with_roles(request,"read", current_user.user_id, coursechapter_id)
|
# TODO : TERRIBLE SECURITY ISSUE HERE, NEED TO FIX ASAP
|
||||||
|
# TODO : TERRIBLE SECURITY ISSUE HERE, NEED TO FIX ASAP
|
||||||
|
|
||||||
lectures = lectures.find({"coursechapter_id": coursechapter_id})
|
lectures = lectures.find({"coursechapter_id": coursechapter_id})
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -58,6 +58,7 @@ async def verify_user_rights_with_roles(request: Request, action: str, user_id:
|
||||||
|
|
||||||
# TODO: Check if the org_id of the role is the same as the org_id of the element using find
|
# TODO: Check if the org_id of the role is the same as the org_id of the element using find
|
||||||
|
|
||||||
|
if action != "create":
|
||||||
await check_user_role_org_with_element_org(request, element_id, user_roles)
|
await check_user_role_org_with_element_org(request, element_id, user_roles)
|
||||||
|
|
||||||
# Check if user has the right role
|
# Check if user has the right role
|
||||||
|
|
@ -105,12 +106,16 @@ async def check_user_role_org_with_element_org(request: Request, element_id: str
|
||||||
# get singular element type
|
# get singular element type
|
||||||
singular_form_element = element_type[:-1]
|
singular_form_element = element_type[:-1]
|
||||||
|
|
||||||
element_org_id = await element.find_one({singular_form_element + "_id": element_id}, {"org_id": 1})
|
element_type_id = singular_form_element + "_id"
|
||||||
|
|
||||||
|
element_org = await element.find_one({element_type_id: element_id})
|
||||||
|
|
||||||
|
|
||||||
for role_id in roles_list:
|
for role_id in roles_list:
|
||||||
role = RoleInDB(**await roles.find_one({"role_id": role_id}))
|
role = RoleInDB(**await roles.find_one({"role_id": role_id}))
|
||||||
|
if role.org_id == element_org["org_id"]:
|
||||||
if role.org_id == element_org_id:
|
return True
|
||||||
|
if role.org_id == "*":
|
||||||
return True
|
return True
|
||||||
|
|
||||||
else:
|
else:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue