def role_auth(self, profile: dict, allowed_roles: List[str], resource: str, method: str) -> bool: """Check if the current user is authorized to act on the current request's resource.""" user = Users.find_by_email(profile["email"]) _request_ctx_stack.top.current_user = user # User hasn't registered yet. if not user: # Although the user doesn't exist in the database, we still # make the user's identity data available in the request context. _request_ctx_stack.top.current_user = Users(email=profile["email"]) # User is only authorized to create themself. if resource == "new_users" and method == "POST": return True raise Unauthorized(f'{profile["email"]} is not registered.') # User is registered but not yet approved. if not user.approval_date: # Unapproved users are not authorized to do anything but access their # account info. if resource == "users" and method == "GET": return True raise Unauthorized( f'{profile["email"]}\'s registration is pending approval') # User is approved and registered, so just check their role. if allowed_roles and user.role not in allowed_roles: raise Unauthorized( f'{profile["email"]} is not authorized to access this endpoint.' ) return True