def delete(self, id): """ Delete should only be called by admins """ # Get the user from the auth header auth_username, auth_password = decode_basic_auth_info(request) auth_user = User.query.filter(User.username==auth_username).first() if not auth_user.admin: return Response(status=403) user = User.query.get(id) if user is None: return Response(status=400) db.session.delete(user) db.session.commit() return Response(status=202)
def put(self, id): if request.headers['content-type'] == 'application/json': args = self.reqparse.parse_args() new_password = args['password'] user = User.query.get(id) if user is None: return Response(status=404) # TODO(eso) abort if hashed password matches old password # Make sure the user that is logged in is changing their own password auth_username, auth_password = decode_basic_auth_info(request) if user.username != auth_username: return Response(status=403) user.hash_password(new_password) db.session.add(user) db.session.commit() return {'user': marshal(user, USER_FIELDS)}, 201 else: return Response(status=400) # invalid content-type