def role_auth(self, profile: dict, allowed_roles: List[str], resource: str,
method: str) -> bool:
"""Check if the current user is authorized to act on the current request's resource."""
user = Users.find_by_email(profile["email"])
_request_ctx_stack.top.current_user = user
# User hasn't registered yet.
if not user:
# Although the user doesn't exist in the database, we still
# make the user's identity data available in the request context.
_request_ctx_stack.top.current_user = Users(email=profile["email"])
# User is only authorized to create themself.
if resource == "new_users" and method == "POST":
return True
raise Unauthorized(f'{profile["email"]} is not registered.')
# User is registered but not yet approved.
if not user.approval_date:
# Unapproved users are not authorized to do anything but access their
# account info.
if resource == "users" and method == "GET":
return True
raise Unauthorized(
f'{profile["email"]}\'s registration is pending approval')
# User is approved and registered, so just check their role.
if allowed_roles and user.role not in allowed_roles:
raise Unauthorized(
f'{profile["email"]} is not authorized to access this endpoint.'
)
return True
