Add a user info scope and thread it through the code. Protect the org modification API.

2014-03-18 19:21:27 -04:00 · 2014-03-18 19:21:27 -04:00 · 64071b9e8e
commit 64071b9e8e
parent 89556172d5
13 changed files with 144 additions and 115 deletions
--- a/endpoints/api/billing.py
+++ b/endpoints/api/billing.py
@ -3,7 +3,8 @@ import stripe
 from flask import request

 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, log_action,
-                           related_user_resource, internal_only, Unauthorized, NotFound)
+                           related_user_resource, internal_only, Unauthorized, NotFound,
+                           require_user_admin)
 from endpoints.api.subscribe import subscribe, subscription_view
 from auth.permissions import AdministerOrganizationPermission
 from auth.auth_context import get_authenticated_user
@ -109,23 +110,19 @@ class UserCard(ApiResource):
    },
  }

+  @require_user_admin
  @nickname('getUserCard')
  def get(self):
    """ Get the user's credit card. """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    return get_card(user)

+  @require_user_admin
  @nickname('setUserCard')
  @validate_json_request('UserCard')
  def post(self):
    """ Update the user's credit card. """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    token = request.get_json()['token']
    response = set_card(user, token)
    log_action('account_change_cc', user.username)
@ -204,6 +201,7 @@ class UserPlan(ApiResource):
    },
  }

+  @require_user_admin
  @nickname('updateUserSubscription')
  @validate_json_request('UserSubscription')
  def put(self):
@ -212,18 +210,13 @@ class UserPlan(ApiResource):
    plan = request_data['plan']
    token = request_data['token'] if 'token' in request_data else None
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-    
    return subscribe(user, plan, token, False)  # Business features not required

+  @require_user_admin
  @nickname('getUserSubscription')
  def get(self):
    """ Fetch any existing subscription for the user. """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    private_repos = model.get_private_repo_count(user.username)

    if user.stripe_id:
@ -302,13 +295,11 @@ class OrganizationPlan(ApiResource):
@resource('/v1/user/invoices')
 class UserInvoiceList(ApiResource):
  """ Resource for listing a user's invoices. """
+  @require_user_admin
  @nickname('listUserInvoices')
  def get(self):
    """ List the invoices for the current user. """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    if not user.stripe_id:
      raise NotFound()