From 4b37f74d3e5dea2630fd78219ff88433647ad2b4 Mon Sep 17 00:00:00 2001 From: grimhilt Date: Mon, 7 Aug 2023 16:52:29 +0200 Subject: [PATCH] improve permissions --- src/api/abl/PlaylistAbl.py | 31 +++++++++++++++--------- src/api/controllers/playlist.py | 23 ++++++------------ src/api/dao/Playlist.py | 6 +---- src/api/models.py | 9 ++++--- src/api/permissions.py | 43 ++++++++++++++++++++++++++++----- 5 files changed, 72 insertions(+), 40 deletions(-) diff --git a/src/api/abl/PlaylistAbl.py b/src/api/abl/PlaylistAbl.py index 57a7926..0d44d43 100644 --- a/src/api/abl/PlaylistAbl.py +++ b/src/api/abl/PlaylistAbl.py @@ -1,4 +1,4 @@ -from flask import jsonify +from flask import jsonify, request from ..models import Playlist, PlaylistFile, File from .. import db from datetime import datetime @@ -9,7 +9,7 @@ from screen.ScreenManager import ScreenManager class PlaylistAbl: @staticmethod def create(data): - new_playlist = Playlist(name=data['name'], owned_id=current_user.as_dict()['id']) + new_playlist = Playlist(name=data['name'], owner_id=current_user.as_dict()['id']) db.session.add(new_playlist) db.session.flush() db.session.commit() @@ -28,15 +28,24 @@ class PlaylistAbl: @staticmethod def get_playlist(playlist_id): - print("get") - #(query, files) = PlaylistDao.get_playlist(playlist_id) - print(query) - #return jsonify({'id': query.id, 'name': query.name, 'files': files}) - return jsonify(success=True) + (query, files) = PlaylistDao.get_playlist(playlist_id) + return jsonify({'id': query.id, 'name': query.name, 'owner_id': query.owner_id, 'files': files}) + + @staticmethod + def list(): + playlists = db.session.query(Playlist).all() + res = [] + for playlist in playlists: + p = playlist.as_dict() + p['last_modified'] = p['last_modified'].isoformat() + res.append(p) + + return jsonify(res) + # EDIT PLAYLIST CONTENT @staticmethod - def add_file(data): + def add_file(playlist_id, data): data = request.get_json() new_playlist_file = PlaylistFile( \ playlist_id=playlist_id, \ @@ -50,7 +59,7 @@ class PlaylistAbl: return jsonify(success=True) @staticmethod - def change_order(data): + def change_order(playlist_id, data): db.session.query(PlaylistFile) \ .filter(PlaylistFile.file_id == data['file_id']) \ .filter(PlaylistFile.playlist_id == playlist_id) \ @@ -59,7 +68,7 @@ class PlaylistAbl: return jsonify(success=True) @staticmethod - def change_seconds(data): + def change_seconds(playlist_id, data): db.session.query(PlaylistFile) \ .filter(PlaylistFile.file_id == data['file_id']) \ .filter(PlaylistFile.playlist_id == playlist_id) \ @@ -68,7 +77,7 @@ class PlaylistAbl: return jsonify(success=True) @staticmethod - def remove_file(data): + def remove_file(playlist_id, data): data = request.get_json() query = db.session.query(PlaylistFile) \ .filter(PlaylistFile.file_id == data['file_id']) \ diff --git a/src/api/controllers/playlist.py b/src/api/controllers/playlist.py index 3ff2057..551057e 100644 --- a/src/api/controllers/playlist.py +++ b/src/api/controllers/playlist.py @@ -12,7 +12,7 @@ from ..permissions import Perm, permissions playlist = Blueprint('playlist', __name__) -@playlist.route('', methods=['POST']) +@playlist.route('/playlists', methods=['POST']) @login_required @permissions.require([Perm.CREATE_PLAYLIST]) def create(): @@ -21,16 +21,7 @@ def create(): @playlist.route('/playlists', methods=["GET"]) @login_required def list(): - print(current_user) - playlists = db.session.query(Playlist).all() - - res = [] - for playlist in playlists: - p = playlist.as_dict() - p['last_modified'] = p['last_modified'].isoformat() - res.append(p) - - return jsonify(res) + return PlaylistAbl.list() @playlist.route('/playlists/', methods=["GET"]) @login_required @@ -44,25 +35,25 @@ def get_playlist(playlist_id): @login_required @permissions.require([Perm.EDIT_PLAYLIST]) def add_file(playlist_id): - return PlaylistAbl.add_file(request.get_json()) + return PlaylistAbl.add_file(playlist_id, request.get_json()) @playlist.route('/playlists//order', methods=["POST"]) @login_required @permissions.require([Perm.EDIT_PLAYLIST]) def change_order(playlist_id): - return PlaylistAbl.change_order(request.get_json()) + return PlaylistAbl.change_order(playlist_id, request.get_json()) @playlist.route('/playlits//seconds', methods=["POST"]) @login_required @permissions.require([Perm.EDIT_PLAYLIST]) def change_seconds(playlist_id): - return PlaylistAbl.change_seconds(request.get_json()) + return PlaylistAbl.change_seconds(playlist_id, request.get_json()) @playlist.route('/playlists//remove_file', methods=["POST"]) @login_required @permissions.require([Perm.EDIT_PLAYLIST]) def remove_file(playlist_id): - return PlaylistAbl.remove_file(request.get_json()) + return PlaylistAbl.remove_file(playlist_id, request.get_json()) @playlist.route('/playlists//update', methods=["PUT"]) @login_required @@ -72,6 +63,7 @@ def update(playlist_id): @playlist.route('/playlists//activate', methods=["POST"]) @login_required +@permissions.require([Perm.ACTIVATE_PLAYLIST]) def activate(playlist_id): screen_manager = ScreenManager.getInstance() screen_manager.activate_playlist(playlist_id) @@ -79,6 +71,7 @@ def activate(playlist_id): @playlist.route('/playlists//disactivate', methods=["POST"]) @login_required +@permissions.require([Perm.ACTIVATE_PLAYLIST]) def disactivate(playlist_id): screen_manager = ScreenManager.getInstance() screen_manager.disactivate_playlist() diff --git a/src/api/dao/Playlist.py b/src/api/dao/Playlist.py index 0d43f0c..bff345f 100644 --- a/src/api/dao/Playlist.py +++ b/src/api/dao/Playlist.py @@ -3,13 +3,9 @@ from ..models import Playlist, PlaylistFile, File class PlaylistDao: def get_playlist(playlist_id): - print(playlist_id) - print("ok") query = db.session.query(Playlist).filter(Playlist.id == playlist_id).first() - print("ok") - print(query.files) files = [] - for playlist_file in query.files: + for playlist_file in query.playlist_files: file = playlist_file.file.as_dict() file['position'] = playlist_file.position file['seconds'] = playlist_file.seconds diff --git a/src/api/models.py b/src/api/models.py index a2d0bfc..c414632 100644 --- a/src/api/models.py +++ b/src/api/models.py @@ -8,12 +8,14 @@ class PlaylistFile(db.Model): file_id = db.Column(db.Integer, db.ForeignKey('file.id'), primary_key=True) position = db.Column(db.Integer) seconds = db.Column(db.Integer, default=10) + playlist = db.relationship('Playlist', back_populates='playlist_files') + file = db.relationship('File', back_populates='playlist_files') class File(db.Model): id = db.Column(db.Integer, primary_key = True, autoincrement=True) name = db.Column(db.String(150)) type = db.Column(db.String(255)) # maximum length of mimetype - playlists = db.relationship('Playlist', secondary='PlaylistFile', back_populates='files') + playlist_files = db.relationship('PlaylistFile', back_populates='file') def as_dict(self): return {c.name: getattr(self, c.name) for c in self.__table__.columns} @@ -21,12 +23,13 @@ class File(db.Model): class Playlist(db.Model): id = db.Column(db.Integer, primary_key = True, autoincrement=True) name = db.Column(db.String(150)) - owned_id = db.Column(db.Integer, db.ForeignKey('user.id')) + owner_id = db.Column(db.Integer, db.ForeignKey('user.id')) last_modified = db.Column(db.DateTime(timezone=True), default=func.now()) read_permissions = db.Column(db.Integer, default=0) write_permissions = db.Column(db.Integer, default=0) execute_permissions = db.Column(db.Integer, default=0) - files = db.relationship('File', secondary='PlaylistFile', back_populates='playlists') + files = db.relationship('File', secondary='PlaylistFile') + playlist_files = db.relationship('PlaylistFile', order_by='PlaylistFile.position', back_populates='playlist') def as_dict(self): return {c.name: getattr(self, c.name) for c in self.__table__.columns} diff --git a/src/api/permissions.py b/src/api/permissions.py index 0f9bed0..49cc798 100644 --- a/src/api/permissions.py +++ b/src/api/permissions.py @@ -5,7 +5,7 @@ from flask_login import current_user from . import db from .models import Playlist, PlaylistFile, User, Role, UserRole -Perm = Enum('Perm', ['CREATE_ROLE', 'CREATE_PLAYLIST', 'VIEW_PLAYLIST', 'OWN_PLAYLIST', 'EDIT_PLAYLIST']) +Perm = Enum('Perm', ['CREATE_ROLE', 'CREATE_PLAYLIST', 'VIEW_PLAYLIST', 'OWN_PLAYLIST', 'EDIT_PLAYLIST', 'ACTIVATE_PLAYLIST']) class permissions: @@ -42,12 +42,18 @@ def CheckPermissionFactory(perm): return CheckOwnPlaylist() case Perm.EDIT_PLAYLIST: return CheckEditPlaylist() + case Perm.ACTIVATE_PLAYLIST: + return CheckActivatePlaylist() case _: return CheckNone() def get_playlist_id(args): if 'playlist_id' in args: return args['playlist_id'] + json = request.get_json() + if 'playlist_id' in json: + print("in") + return json['playlist_id'] return @@ -67,7 +73,8 @@ class CheckOwnPlaylist: self.message = "This playlist doesn't exist" self.status_code = 404 return False - return query['owner_id'] == current_user.as_dict()['id'] + print(query.as_dict()) + return query.as_dict()['owner_id'] == current_user.as_dict()['id'] class CheckViewPlaylist: def __init__(self): @@ -87,12 +94,20 @@ class CheckViewPlaylist: return False class CheckEditPlaylist: - def is_valid(self, args): - if CheckOwnPlaylist().is_valid(playlist_id): - return True - + def __init__(self): self.message = "You don't have the permission to edit this playlist" self.status_code = 403 + + def is_valid(self, args): + check_own = CheckOwnPlaylist() + if check_own.is_valid(args): + return True + elif check_own.status_code == 404: + self.message = "This playlist doesn't exist" + self.status_code = 404 + return False + + # todo check edit return False class CheckCreatePlaylist: @@ -107,4 +122,20 @@ class CheckCreatePlaylist: self.status_code = 403 return has_role_to_create +class CheckActivatePlaylist: + def __init__(self): + self.message = "You don't have the permission to activate this playlist" + self.status_code = 403 + + def is_valid(self, args): + check_own = CheckOwnPlaylist() + if check_own.is_valid(args): + return True + elif check_own.status_code == 404: + self.message = "This playlist doesn't exist" + self.status_code = 404 + return False + + # todo check view + return False