Adding simple permission to routes

back/app/contract/__init__.py

@@ -10,24 +10,19 @@ from .schemas import ContractCreate, ContractRead, ContractUpdate
 
 from ..entity.models import Entity
 from ..template.models import ProvisionTemplate
+from ..user.manager import get_current_user, get_current_superuser
 
 contract_router = get_crud_router(Contract, ContractCreate, ContractRead, ContractUpdate)
 del(contract_router.routes[0])
 del(contract_router.routes[2])
 del(contract_router.routes[2])
 
-contract_router.include_router(draft_router, prefix="/draft", tags=["draft"], )
+contract_router.include_router(draft_router, prefix="/draft", )
-contract_router.include_router(print_router, prefix="/print", tags=["print"], )
+contract_router.include_router(print_router, prefix="/print", )
-
-
-def can_create_contract():
-    class User:
-        entity_id = '63d127bcf355de8e65a193e1'
-    return User()
 
 
 @contract_router.post("/", response_description="Contract Successfully created")
-async def create(item: ContractCreate, user=Depends(can_create_contract)) -> dict:
+async def create(item: ContractCreate, user=Depends(get_current_user)) -> dict:
     await item.validate_foreign_key()
 
     draft = await ContractDraft.get(item.draft_id)
@@ -72,5 +67,15 @@ async def create(item: ContractCreate, user=Depends(can_create_contract)) -> dic
 
 
 @contract_router.put("/{id}", response_description="")
-async def update(id: str, req: ContractUpdate) -> ContractRead:
+async def update(id: str, contract_form: ContractUpdate, user=Depends(get_current_superuser)) -> ContractRead:
     raise HTTPException(status_code=400, detail="No modification on contract")
+
+
+@contract_router.get("/signature/{signature_id}", response_description="")
+async def get_signature(signature_id: str) -> ContractRead:
+    raise HTTPException(status_code=500, detail="Not implemented")
+
+
+@contract_router.post("/signature/{signature_id}", response_description="")
+async def affix_signature(signature_id: str, signature_form: ContractCreate) -> ContractRead:
+    raise HTTPException(status_code=500, detail="Not implemented")

back/app/core/routes.py

@@ -1,10 +1,12 @@
 from beanie import PydanticObjectId
 from beanie.operators import And, RegEx, Eq
 
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Depends
 from fastapi_paginate import Page, Params, add_pagination
 from fastapi_paginate.ext.motor import paginate
 
+from ..user.manager import get_current_user, get_current_superuser
+
 
 def parse_sort(sort_by):
     if not sort_by:
@@ -55,18 +57,19 @@ def get_crud_router(model, model_create, model_read, model_update):
     router = APIRouter()
 
     @router.post("/", response_description="{} added to the database".format(model.__name__))
-    async def create(item: model_create) -> dict:
+    async def create(item: model_create, user=Depends(get_current_user)) -> dict:
         await item.validate_foreign_key()
         o = await model(**item.dict()).create()
         return {"message": "{} added successfully".format(model.__name__), "id": o.id}
 
     @router.get("/{id}", response_description="{} record retrieved".format(model.__name__))
-    async def read_id(id: PydanticObjectId) -> model_read:
+    async def read_id(id: PydanticObjectId, user=Depends(get_current_user)) -> model_read:
         item = await model.get(id)
         return model_read(**item.dict())
 
     @router.get("/", response_model=Page[model_read], response_description="{} records retrieved".format(model.__name__))
-    async def read_list(size: int = 50, page: int = 1, sort_by: str = None, query: str = None) -> Page[model_read]:
+    async def read_list(size: int = 50, page: int = 1, sort_by: str = None, query: str = None,
+                        user=Depends(get_current_user)) -> Page[model_read]:
         sort = parse_sort(sort_by)
         query = parse_query(query, model_read)
 
@@ -75,7 +78,7 @@ def get_crud_router(model, model_create, model_read, model_update):
         return await items
 
     @router.put("/{id}", response_description="{} record updated".format(model.__name__))
-    async def update(id: PydanticObjectId, req: model_update) -> model_read:
+    async def update(id: PydanticObjectId, req: model_update, user=Depends(get_current_user)) -> model_read:
         req = {k: v for k, v in req.dict().items() if v is not None}
         update_query = {"$set": {
             field: value for field, value in req.items()
@@ -92,7 +95,7 @@ def get_crud_router(model, model_create, model_read, model_update):
         return model_read(**item.dict())
 
     @router.delete("/{id}", response_description="{} record deleted from the database".format(model.__name__))
-    async def delete(id: PydanticObjectId) -> dict:
+    async def delete(id: PydanticObjectId, user=Depends(get_current_superuser)) -> dict:
         item = await model.get(id)
 
         if not item:

back/app/user/__init__.py

@@ -1,3 +1,3 @@
-from .routes import router as user_router, get_auth_router
+from .routes import router as user_router
-
+from .manager import get_auth_router
 from .models import User, AccessToken

back/app/user/manager.py

@@ -107,6 +107,7 @@ fastapi_users = FastAPIUsers[User, uuid.UUID](
 )
 
 get_current_user = fastapi_users.current_user(active=True)
+get_current_superuser = fastapi_users.current_user(active=True, superuser=True)
 
 
 def get_auth_router():

back/app/user/routes.py

@@ -7,15 +7,15 @@ from typing import List
 
 from .models import User
 from .schemas import UserRead, UserUpdate, UserCreate
-from .manager import get_user_manager, get_current_user, get_auth_router
+from .manager import get_user_manager, get_current_user, get_current_superuser
 
 
 router = APIRouter()
 
 
 @router.post("/", response_description="User added to the database")
-async def create(user: UserCreate, user_manager=Depends(get_user_manager)) -> dict:
+async def create(user_form: UserCreate, user_manager=Depends(get_user_manager), user=Depends(get_current_superuser)) -> dict:
-    await user_manager.create(user, safe=True)
+    await user_manager.create(user_form, safe=True)
     return {"message": "User added successfully"}
 
 
@@ -26,22 +26,22 @@ async def read_me(user=Depends(get_current_user)) -> UserRead:
 
 
 @router.get("/{id}", response_description="User record retrieved")
-async def read_id(id: PydanticObjectId) -> UserRead:
+async def read_id(id: PydanticObjectId, user=Depends(get_current_superuser)) -> UserRead:
     user = await User.get(id)
     return UserRead(**user.dict())
 
 
 @router.get("/", response_model=List[UserRead], response_description="User records retrieved")
-async def read_list() -> List[UserRead]:
+async def read_list(user=Depends(get_current_superuser)) -> List[UserRead]:
     users = await User.find_all().to_list()
     return users
 
 
 @router.put("/{id}", response_description="User record updated")
-async def update(id: PydanticObjectId, req: UserUpdate) -> UserRead:
+async def update(id: PydanticObjectId, user_form: UserUpdate, user=Depends(get_current_superuser)) -> UserRead:
-    req = {k: v for k, v in req.dict().items() if v is not None}
+    user_form = {k: v for k, v in user_form.dict().items() if v is not None}
     update_query = {"$set": {
-        field: value for field, value in req.items()
+        field: value for field, value in user_form.items()
     }}
 
     user = await User.get(id)
@@ -56,7 +56,7 @@ async def update(id: PydanticObjectId, req: UserUpdate) -> UserRead:
 
 
 @router.delete("/{id}", response_description="User record deleted from the database")
-async def delete(id: PydanticObjectId) -> dict:
+async def delete(id: PydanticObjectId, user=Depends(get_current_superuser)) -> dict:
     record = await User.get(id)
 
     if not record: