def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
try:
order = Order.get_by_id(id)
if _acl_get_order_same_participant_or_admin(order, auth_user):
return order.json(), 201
return error("Not authorized", 401)
except AttributeError as e:
return error(e, 400)
except ValueError as e:
if auth_user.role == "admin":
return error(e, 404)
# For regular users: they shouldn't know if an order id exists
return error("Not authorized", 401)
# It should not reach here
return error("Not authorized", 401)
def post(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
if not _acl_same_customer_id_or_admin(id, auth_user):
return error("Not authorized", 401)
args = _parse_full_user_request()
if Customer.id_exists(id):
return error("Customer ID exists", 400)
cust = Customer.new_customer(
id=id,
name=args["name"],
gender=args["gender"],
tel=args["tel"],
address=args["address"],
)
db.session.add(cust)
db.session.commit()
return cust.json(), 201
def id_exists(id) -> bool:
id = to_uuid(id)
query = Employee.query.filter_by(id=id)
if query.count() > 0:
return True
return False
def get_by_id(id) -> "Order":
id = to_uuid(id)
query = Order.query.filter_by(id=id)
if query.count() == 0:
raise ValueError(f"Order {str(id)} not found.")
return query.first()
def get_by_participant_id(role, id) -> list:
id = to_uuid(id)
if role == 'customer':
query = Order.query.filter_by(customer_id=id)
elif role == 'employee':
query = Order.query.filter_by(employee_id=id)
else:
raise AttributeError(f"Role {role} not valid for order {str(id)}")
return query.all()
def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
try:
return Employee.get_by_id(id).json()
except AttributeError as e:
return error(e, 400)
except ValueError as e:
return error(e, 404)
def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
if _acl_same_customer_id_or_admin(id, auth_user):
try:
return Customer.get_by_id(id).json()
except AttributeError as e:
return error(e, 400)
except ValueError as e:
return error(e, 404)
return error("Not authorized", 401)
def get(self, id, **kwargs):
try:
id = to_uuid(id)
except AttributeError as e:
return error(e, 400)
auth_user = kwargs["user"]
if _acl_same_customer_id_or_admin(id, auth_user):
try:
orders = Order.get_by_participant_id("customer", id)
return [order.json() for order in orders]
except AttributeError as e:
return error(e, 400)
except ValueError as e:
return error(e, 404)
else:
return error("Not authorized", 401)
