Mclean/feature/security improvement (#279)

## Describe your changes Get this branch actually working ## Issue ticket number and link
TechlauncherFireApp · Sep 3, 2024 · 02647ab · 02647ab
2 parents ccd085b + 5f4e936
commit 02647ab
Show file tree

Hide file tree

Showing 8 changed files with 53 additions and 30 deletions.
diff --git a/controllers/asset_type_role.py b/controllers/asset_type_role.py
@@ -37,6 +37,7 @@ def get(self):
         with session_scope() as session:
             return get_seats(session, args['assetTypeId'])
 
+    @requires_auth
     def delete(self):
         args = parser.parse_args()
         if args['assetTypeRoleId'] is None:

diff --git a/controllers/diet_requirement.py b/controllers/diet_requirement.py
@@ -1,13 +1,13 @@
 from flask import Blueprint, request
 from flask_restful import reqparse, fields, Resource, marshal_with, Api
 
-from domain import session_scope
+from domain import session_scope, UserType
 from domain.type.dietary import DietaryRestriction
 from repository.diet_repository import save_dietary_requirements
 
 from repository.diet_requirement_repository import get_dietary_requirements, get_formatted_dietary_requirements
 from repository.diet_requirement_repository import diet_requirement_to_dict
-from services.jwk import requires_auth, JWKService
+from services.jwk import requires_auth, JWKService, is_user_or_has_role
 
 # getting the data from the frontend
 new_parser = reqparse.RequestParser()
@@ -28,7 +28,6 @@
     'egg_allergy'
 ]
 
-
 get_parser = reqparse.RequestParser()
 get_parser.add_argument('user_id', type=int, required=True)
 
@@ -58,17 +57,18 @@ def get(self):
         } for k in options], 200
 
 
+"""
+This is a class to store the data of dietary requirement to the database
+"""
+
+
 class DietaryRequirement(Resource):
     """
-        This is a class to store the data of dietary requirement to the database
-        """
-
+    Returns: True if the data is updated; False if the data is unable to upload
+    """
     @requires_auth
+    @is_user_or_has_role(None, UserType.ROOT_ADMIN)
     def post(self):
-        """
-        Returns:
-            True if the data is updated; False if the data is unable to upload
-        """
         try:
             request.get_json(force=True)
             args = new_parser.parse_args()
@@ -81,9 +81,11 @@ def post(self):
             return {'result': False}, 400
 
     """
-    This is a class to retrieve the dietary requirement data from the database
+    This is a function to retrieve the dietary requirement data from the database
     """
+
     @requires_auth
+    @is_user_or_has_role(None, UserType.ROOT_ADMIN)
     def get(self):
         try:
             user_id = JWKService.decode_user_id()

diff --git a/controllers/email.py b/controllers/email.py
@@ -1,9 +1,10 @@
 from flask import Blueprint
 from flask_restful import fields, Resource, marshal_with, reqparse, Api
 
+from domain import UserType
 from services.mail_sms import MailSender
 
-from services.jwk import requires_auth
+from services.jwk import requires_auth, has_role
 
 send_email_result = {
     "result": fields.String
@@ -12,6 +13,7 @@
 
 class SendEmail(Resource):
     @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(send_email_result)
     def post(self):
         parser = reqparse.RequestParser()
@@ -23,7 +25,7 @@ def post(self):
         generate_code = args['content']
         content = """
             Hi,</br>
-            You recently requested to rest the password for your %s account. Use the code below to proceed.
+            You recently requested to reset the password for your %s account. Use the code below to proceed.
             </br></br>
             code: <strong>%s</strong>
             </br></br>

diff --git a/controllers/existing_requests.py b/controllers/existing_requests.py
@@ -4,7 +4,7 @@
 from domain import session_scope
 from repository.request_repository import *
 
-from services.jwk import requires_auth
+from services.jwk import requires_auth, has_role
 
 '''
 Define Data Input
@@ -69,14 +69,16 @@ def get(self):
             res = get_existing_requests(session)
             return {"success": True, "results": res}
 
-    @marshal_with(get_resource_list)
+    @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     def patch(self):
         args = parser.parse_args()
         with session_scope() as session:
             result = update_request_status(session, args["requestId"], args["status"])
             return {"success": result}
 
-    @marshal_with(get_resource_list)
+    @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     def delete(self):
         args = delete_parser.parse_args()
         with session_scope() as session:

diff --git a/controllers/new_request.py b/controllers/new_request.py
@@ -4,7 +4,7 @@
 from domain import session_scope
 from repository.request_repository import *
 
-from services.jwk import requires_auth
+from services.jwk import requires_auth, has_role
 
 '''
 Define Data Input
@@ -50,6 +50,7 @@
 # Make a New Request inside the DataBase
 class NewRequest(Resource):
     @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(resource_fields)
     def post(self):
         args = parser.parse_args()
@@ -60,6 +61,8 @@ def post(self):
             return {"id": new_id}
 
     # Delete a Request inside the DataBase
+    @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(resource_fields)
     def delete(self):
         args = delete_parser.parse_args()

diff --git a/controllers/profile.py b/controllers/profile.py
@@ -1,11 +1,11 @@
-from flask import Blueprint, request, jsonify
+from flask import Blueprint, request
 from flask_restful import Api, Resource, marshal_with, reqparse, fields
 
-from domain import session_scope
+from domain import session_scope, UserType
 from repository.profile import modify_profile, get_profile
 from repository.user_role_repository import get_user_roles_by_id
 
-from services.jwk import requires_auth
+from services.jwk import requires_auth, is_user_or_has_role
 
 result_fields = {
     "result": fields.Boolean
@@ -34,23 +34,25 @@
 getId.add_argument("id", type=str)
 
 
+# THESE CLASSES CAN BE COMBINED INTO ONE WITH A "post" AND "get" METHOD
+# INSTEAD OF SEPARATE CLASSES
 class EditProfile(Resource):
     @requires_auth
+    @is_user_or_has_role(None, UserType.ROOT_ADMIN)
     @marshal_with(result_fields)
     def post(self):
         request.get_json(force=True)
         args = profile.parse_args()
         with session_scope() as session:
             return {'result': modify_profile(session, args['id'], args['phone'], args['gender'], args['dietary'],
                                              args['allergy'])}
-            # result = modify_profile(session, args['id'], args['phone'], args['gender'], args['diet'], args['allergy'])
-        # return jsonify({"result": result.nameresult})
 
 
-class getProfile(Resource):
+class GetProfile(Resource):
     @requires_auth
+    @is_user_or_has_role(None, UserType.ROOT_ADMIN)
     @marshal_with(user_info_fields)
-    def post(self):
+    def get(self):
         request.get_json(force=True)
         args = getId.parse_args()
         with session_scope() as session:
@@ -72,4 +74,4 @@ def post(self):
 profile_bp = Blueprint('profile', __name__)
 api = Api(profile_bp)
 api.add_resource(EditProfile, '/profile/editProfile')
-api.add_resource(getProfile, '/profile/getProfile')
+api.add_resource(GetProfile, '/profile/getProfile')
diff --git a/controllers/reference_data.py b/controllers/reference_data.py
@@ -1,12 +1,12 @@
 from flask import Blueprint
 from flask_restful import fields, Resource, marshal_with, Api, reqparse
 
-from domain import session_scope
+from domain import session_scope, UserType
 from repository.reference_repository import get_roles, get_qualifications, add_qualification, add_role, \
     toggle_qualification, toggle_role, get_asset_type, add_asset_type, toggle_asset_type, delete_role, \
     delete_qualification, delete_asset_type
 
-from services.jwk import requires_auth
+from services.jwk import requires_auth, has_role
 
 get_role_fields = {
     'id': fields.Integer,
@@ -29,12 +29,14 @@
 
 class RoleRequest(Resource):
     @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(get_role_fields)
     def get(self):
         with session_scope() as session:
             return get_roles(session)
 
     @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(post_role_fields)
     def post(self):
         args = role_parser.parse_args()
@@ -44,6 +46,7 @@ def post(self):
             role_id = add_role(session, args['name'], args['code'])
             return {'id': role_id}
 
+    @has_role(UserType.ROOT_ADMIN)
     def patch(self):
         args = role_parser.parse_args()
         if args['id'] is None or args['id'] == '':
@@ -52,6 +55,7 @@ def patch(self):
             toggle_role(session, args['id'])
         return
 
+    @has_role(UserType.ROOT_ADMIN)
     def delete(self):
         args = role_parser.parse_args()
         if args['id'] is None or args['id'] == '':
@@ -80,6 +84,7 @@ def delete(self):
 
 class QualificationsRequest(Resource):
     @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(get_qualifications_fields)
     def get(self):
         with session_scope() as session:
@@ -95,6 +100,7 @@ def post(self):
             role_id = add_qualification(session, args['name'])
             return {'id': role_id}
 
+    @has_role(UserType.ROOT_ADMIN)
     def patch(self):
         args = qualification_parser.parse_args()
         if args['name'] is None or args['name'] == '':
@@ -103,6 +109,7 @@ def patch(self):
             toggle_qualification(session, args['name'])
         return
 
+    @has_role(UserType.ROOT_ADMIN)
     def delete(self):
         args = qualification_parser.parse_args()
         if args['id'] is None or args['id'] == '':
@@ -149,6 +156,7 @@ def post(self):
             asset_type_id = add_asset_type(session, args['code'], args['name'])
             return {'id': asset_type_id}
 
+    @has_role(UserType.ROOT_ADMIN)
     def patch(self):
         args = asset_type_parser.parse_args()
         if args['code'] is None or args['code'] == '':
@@ -157,6 +165,7 @@ def patch(self):
             toggle_asset_type(session, args['code'])
         return
 
+    @has_role(UserType.ROOT_ADMIN)
     def delete(self):
         args = asset_type_parser.parse_args()
         if args['code'] is None or args['code'] == '':

diff --git a/controllers/shift_request.py b/controllers/shift_request.py
@@ -2,10 +2,10 @@
 from flask_restful import reqparse, Resource, fields, marshal_with, Api
 
 from .utility import *
-from domain import session_scope
+from domain import session_scope, UserType
 from repository.asset_request_volunteer_repository import *
 
-from services.jwk import requires_auth
+from services.jwk import requires_auth, has_role
 
 
 # Validate a volunteer's position and role
@@ -69,7 +69,7 @@ def input_shift(value, name):
 
 # Handle the ShiftRequest endpoint
 class ShiftRequest(Resource):
-    @requires_auth
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(get_resource_fields)
     def get(self):
         args = parser.parse_args()
@@ -91,13 +91,15 @@ def get(self):
                 rtn.append(d)
         return {"results": rtn}
 
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(post_patch_resource_fields)
     def delete(self):
         args = modify_parser.parse_args()
         with session_scope() as session:
             remove_assignment(session, args['shift_id'], args['position_id'])
         return {"success": True}
 
+    @has_role(UserType.ROOT_ADMIN)
     @marshal_with(post_patch_resource_fields)
     def patch(self):
         args = modify_parser.parse_args()