def delete(self, user_id):
user = self._find_user(user_id)
current_user = get_current_user()
if current_user.id == user_id:
raise InvalidArgumentException('cannot delete yourself')
user.state = State.DELETED
db.session.commit()
return {'data': user.to_dict()}, HTTPStatus.OK
def patch(self, user_id):
self._check_current_user(
user_id, 'user cannot modify other user\'s information')
user = self._find_user(user_id)
mutable_attrs = MUTABLE_ATTRS_MAPPER.get(get_current_user().role)
data = request.get_json()
for k, v in data.items():
if k not in mutable_attrs:
raise InvalidArgumentException(f'cannot edit {k} attribute!')
if k == 'password':
password = base64decode(v)
check_password_format(password)
user.set_password(password)
else:
setattr(user, k, v)
db.session.commit()
return {'data': user.to_dict()}, HTTPStatus.OK
def patch(self, user_id):
user = self._find_user(user_id)
current_user = get_current_user()
if current_user.role != Role.ADMIN and current_user.id != user_id:
raise UnauthorizedException('user cannot modify others infomation')
mutable_attrs = MUTABLE_ATTRS_MAPPER.get(current_user.role)
data = request.get_json()
for k, v in data.items():
if k not in mutable_attrs:
raise InvalidArgumentException(f'cannot edit {k} attribute!')
if k == 'password':
user.set_password(v)
else:
setattr(user, k, v)
db.session.commit()
return {'data': user.to_dict()}, HTTPStatus.OK
def wrapper_inside(*args, **kwargs):
current_user = get_current_user()
if current_user.role != Role.ADMIN:
raise UnauthorizedException('only admin can operate this')
return f(*args, **kwargs)
def _check_current_user(self, user_id, msg):
current_user = get_current_user()
if not current_user.role == Role.ADMIN \
and not user_id == current_user.id:
raise NoAccessException(msg)