def wrapper(*args, **kwargs):
parser = reqparse.RequestParser()
parser.add_argument('session-id', location='headers')
try:
req = kwargs["testing_request"]
except KeyError:
req = None
parsed_args = parser.parse_args(req)
sess_id = parsed_args["session-id"]
if sess_id == None:
return error("Not authorized", 401)
try:
sess = Session.get_by_id(sess_id)
except ValueError:
return error("Not authorized", 401)
except Exception as e:
return error(str(e), 400)
kwargs["session"] = sess
kwargs["user"] = sess.user
kwargs["role"] = sess.user.role
return f(*args, **kwargs)
def post(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
if not _acl_same_customer_id_or_admin(id, auth_user):
return error("Not authorized", 401)
args = _parse_full_user_request()
if Customer.id_exists(id):
return error("Customer ID exists", 400)
cust = Customer.new_customer(
id=id,
name=args["name"],
gender=args["gender"],
tel=args["tel"],
address=args["address"],
)
db.session.add(cust)
db.session.commit()
return cust.json(), 201
def get(self, id):
try:
user = User.get_by_id(id)
except AttributeError as e:
return error(e, 400)
except ValueError as e:
return error(e, 404)
return user.json()
def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
try:
return Employee.get_by_id(id).json()
except AttributeError as e:
return error(e, 400)
except ValueError as e:
return error(e, 404)
def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
if _acl_same_customer_id_or_admin(id, auth_user):
try:
return Customer.get_by_id(id).json()
except AttributeError as e:
return error(e, 400)
except ValueError as e:
return error(e, 404)
return error("Not authorized", 401)
def post(self):
parser = reqparse.RequestParser()
parser.add_argument("username",
required=True,
location='headers',
help="Username is required")
parser.add_argument("password",
required=True,
location='headers',
help="Password is required")
args = parser.parse_args()
username = args["username"]
password = args["password"]
try:
user = User.get_by_username(username)
if not user.check_password(password):
raise ValueError
except ValueError:
return error("Username and/or password is incorrect.", 401)
sess = Session.new_session(username)
db.session.add(sess)
db.session.commit()
return sess.json(), 200
def get(self, **kwargs):
auth_user = kwargs["user"]
if auth_user.role != "admin":
return error("Not authorized", 401)
orders = Order.query.all()
resp = [order.json() for order in orders]
return resp
def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
if _acl_same_customer_id_or_admin(id, auth_user):
try:
orders = Order.get_by_participant_id("customer", id)
return [order.json() for order in orders]
except AttributeError as e:
return error(e, 400)
except ValueError as e:
return error(e, 404)
else:
return error("Not authorized", 401)
def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
try:
order = Order.get_by_id(id)
if _acl_get_order_same_participant_or_admin(order, auth_user):
return order.json(), 201
return error("Not authorized", 401)
except AttributeError as e:
return error(e, 400)
except ValueError as e:
if auth_user.role == "admin":
return error(e, 404)
# For regular users: they shouldn't know if an order id exists
return error("Not authorized", 401)
# It should not reach here
return error("Not authorized", 401)
def post(self):
args = self.parser.parse_args()
username = args["username"]
password = args["password"]
role = args["role"]
if role == None:
role = "customer"
if username == None or password == None:
return error("Request must contain username and password.", 400)
if not User.username_available(username):
return error(f"Username '{username}' has been taken.", 400)
try:
user = User.new_user(username, password, role)
db.session.add(user)
db.session.commit()
return user.json(), 201
except Exception as e:
return error(str(e), 400)
def post(self, **kwargs):
auth_user = kwargs["user"]
args = _parse_full_order_request()
if not _acl_create_order_same_customer_or_admin(
args['customer_id'], auth_user):
return error("Not authorized", 401)
order = Order.new_order(
id=uuid4(),
item=args["item"],
customer_id=args["customer_id"],
employee_id=args["employee_id"],
order_time=args["order_time"],
)
db.session.add(order)
db.session.commit()
return order.json(), 201
