rsw/score
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Update rights manager for events

Browse Source
This commit is contained in:
Sebastiaan
2025-06-13 18:49:33 +02:00
parent 9b4d32ffff
commit 7848578ebb
1 changed files with 83 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

210
backend/app/api/routes/teams.py
View File

@@ -37,6 +37,34 @@ router = APIRouter(prefix="/teams", tags=[ApiTags.TEAMS])
# region # Teams ############################################################### # region # Teams ###############################################################
def load_team(
session: SessionDep,
current_user: CurrentUser,
id: RowId | None = None,
module: PermissionModule = PermissionModule.TEAM,
part: PermissionPart = PermissionPart.ADMIN,
user_rights: PermissionRight | None = None,
event_rights: PermissionRight | None = PermissionRight.MANAGE_TEAMS,
) -> Team | None:
team = session.get(Team, id)
if id and not team:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found")
valid = False
if current_user.has_permissions(module=module, part=part, rights=user_rights):
# Also valid for create new
valid = True
if hasattr(team, "event"):
if team.event.user_has_rights(user=current_user, rights=event_rights):
valid = True
if not valid:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
return team
@router.get("/", response_model=TeamsPublic) @router.get("/", response_model=TeamsPublic)
def read_teams( def read_teams(
session: SessionDep, current_user: CurrentUser, skip: int = 0, limit: int = 100 session: SessionDep, current_user: CurrentUser, skip: int = 0, limit: int = 100
@@ -50,39 +78,22 @@ def read_teams(
part=PermissionPart.ADMIN, part=PermissionPart.ADMIN,
rights=PermissionRight.READ, rights=PermissionRight.READ,
): ):
count_statement = select(func.count()).select_from(Team) data_query = (
count = session.exec(count_statement).one()
statement = select(Team).offset(skip).limit(limit)
teams = session.exec(statement).all()
else:
# Only read teams that are connected to an event that the user can read
count_statement = (
select(func.count())
.select_from(Team)
.join(Event) # Join with Event to filter teams based on events
.join(EventUserLink) # Join with EventUserLink to check user permissions
.where(
EventUserLink.user_id == current_user.id,
# FIXME: (EventUserLink.rights & (PermissionRight.READ | PermissionRight.MANAGE_TEAMS)) > 0
)
)
count = session.exec(count_statement).one()
statement = (
select(Team) select(Team)
.join(Event) )
.join(EventUserLink) else:
data_query = (
select(Team)
.join(EventUserLink, EventUserLink.event_id == Team.event_id)
.where( .where(
EventUserLink.user_id == current_user.id, EventUserLink.user_id == current_user.id,
# FIXME: (EventUserLink.rights & (PermissionRight.READ | PermissionRight.MANAGE_TEAMS)) > 0 # FIXME: (EventUserLink.rights & (PermissionRight.READ | PermissionRight.MANAGE_TEAMS)) > 0
) )
.offset(skip)
.limit(limit)
) )
teams = session.exec(statement).all()
return TeamsPublic(data=teams, count=count) count = session.exec(select(func.count()).select_from(data_query.subquery())).one()
data = session.exec(data_query.offset(skip).limit(limit)).all()
return TeamsPublic(data=data, count=count)
@router.get("/{id}", response_model=TeamPublic) @router.get("/{id}", response_model=TeamPublic)
@@ -90,20 +101,12 @@ def read_team(session: SessionDep, current_user: CurrentUser, id: RowId) -> Any:
""" """
Get team by ID. Get team by ID.
""" """
team = session.get(Team, id) team = load_team(
if not team: session=session,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found") current_user=current_user,
id=id,
event = session.get(Event, team.event_id) user_rights=PermissionRight.READ,
if not event: # pragma: no cover )
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Event not found")
if not current_user.has_permissions(
module=PermissionModule.TEAM,
part=PermissionPart.ADMIN,
rights=PermissionRight.READ,
) and not (event.user_has_rights(user=current_user, rights=PermissionRight.MANAGE_TEAMS)):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
return team return team
@@ -138,21 +141,12 @@ def update_team(
""" """
Update a team. Update a team.
""" """
team = session.get(Team, id) team = load_team(
if not team: session=session,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found") current_user=current_user,
id=id,
# Check user's permissions for the existing event user_rights=PermissionRight.UPDATE,
event = session.get(Event, team.event_id) )
if not event: # pragma: no cover
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Event not found")
if not current_user.has_permissions(
module=PermissionModule.TEAM,
part=PermissionPart.ADMIN,
rights=PermissionRight.UPDATE,
) and not (event.user_has_rights(user=current_user, rights=PermissionRight.MANAGE_TEAMS)):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
# Check rights for the new event data # Check rights for the new event data
if team_in.event_id: if team_in.event_id:
@@ -177,20 +171,12 @@ def delete_team(session: SessionDep,current_user: CurrentUser, id: RowId) -> Mes
""" """
Delete a team. Delete a team.
""" """
team = session.get(Team, id) team = load_team(
if not team: session=session,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found") current_user=current_user,
id=id,
event = session.get(Event, team.event_id) user_rights=PermissionRight.DELETE,
if not event: # pragma: no cover )
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Event not found")
if not current_user.has_permissions(
module=PermissionModule.TEAM,
part=PermissionPart.ADMIN,
rights=PermissionRight.DELETE,
) and not (event.user_has_rights(user=current_user, rights=PermissionRight.MANAGE_TEAMS)):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
session.delete(team) session.delete(team)
session.commit() session.commit()
@@ -206,20 +192,13 @@ def read_team_divisions(session: SessionDep, current_user: CurrentUser, id: RowI
""" """
Get division from team by ID. Get division from team by ID.
""" """
team = session.get(Team, id) team = load_team(
if not team: session=session,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found") current_user=current_user,
id=id,
event = session.get(Event, team.event_id) user_rights=PermissionRight.MANAGE_DIVISIONS,
if not event: # pragma: no cover event_rights=PermissionRight.MANAGE_DIVISIONS,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Event not found") )
if not current_user.has_permissions(
module=PermissionModule.TEAM,
part=PermissionPart.ADMIN,
rights=PermissionRight.MANAGE_DIVISIONS,
) and not (event.user_has_rights(user=current_user, rights=PermissionRight.MANAGE_DIVISIONS)):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
return team.division_link return team.division_link
@@ -231,25 +210,17 @@ def create_team_division_link(
""" """
Create new division link in team. Create new division link in team.
""" """
team = load_team(
team = session.get(Team, id) session=session,
if not team: current_user=current_user,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found") id=id,
user_rights=PermissionRight.MANAGE_DIVISIONS,
event_rights=PermissionRight.MANAGE_DIVISIONS,
)
if team.division_link: if team.division_link:
raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Team already linked to division") raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Team already linked to division")
event = session.get(Event, team.event_id)
if not event: # pragma: no cover
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Event not found")
if not current_user.has_permissions(
module=PermissionModule.TEAM,
part=PermissionPart.ADMIN,
rights=PermissionRight.MANAGE_DIVISIONS,
) and not (event.user_has_rights(user=current_user, rights=PermissionRight.MANAGE_DIVISIONS)):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
division_team_link = DivisionTeamLink.create(create_obj=team_in, session=session, team=team) division_team_link = DivisionTeamLink.create(create_obj=team_in, session=session, team=team)
return division_team_link return division_team_link
@@ -261,21 +232,13 @@ def update_team_division_link(
""" """
Update division info inside team. Update division info inside team.
""" """
team = session.get(Team, id) team = load_team(
if not team: session=session,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found") current_user=current_user,
id=id,
# Check user's permissions for the existing event user_rights=PermissionRight.MANAGE_DIVISIONS,
event = session.get(Event, team.event_id) event_rights=PermissionRight.MANAGE_DIVISIONS,
if not event: # pragma: no cover )
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Event not found")
if not current_user.has_permissions(
module=PermissionModule.TEAM,
part=PermissionPart.ADMIN,
rights=PermissionRight.MANAGE_DIVISIONS,
) and not (event.user_has_rights(user=current_user, rights=PermissionRight.MANAGE_DIVISIONS)):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
# Update the team # Update the team
division_team_link = DivisionTeamLink.update(db_obj=team.division_link, in_obj=team_in, session=session) division_team_link = DivisionTeamLink.update(db_obj=team.division_link, in_obj=team_in, session=session)
@@ -287,20 +250,13 @@ def delete_team_division_link(session: SessionDep, current_user: CurrentUser, id
""" """
Delete a division link from a team. Delete a division link from a team.
""" """
team = session.get(Team, id) team = load_team(
if not team: session=session,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Team not found") current_user=current_user,
id=id,
event = session.get(Event, team.event_id) user_rights=PermissionRight.MANAGE_DIVISIONS,
if not event: # pragma: no cover event_rights=PermissionRight.MANAGE_DIVISIONS,
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Event not found") )
if not current_user.has_permissions(
module=PermissionModule.TEAM,
part=PermissionPart.ADMIN,
rights=PermissionRight.MANAGE_DIVISIONS,
) and not (event.user_has_rights(user=current_user, rights=PermissionRight.MANAGE_DIVISIONS)):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions")
session.delete(team.division_link) session.delete(team.division_link)
session.commit() session.commit()