Add a user info scope and thread it through the code. Protect the org modification API.

2014-03-18 19:21:27 -04:00 · 2014-03-18 19:21:27 -04:00 · 64071b9e8e
commit 64071b9e8e
parent 89556172d5
13 changed files with 144 additions and 115 deletions
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -7,7 +7,8 @@ from flask.ext.principal import identity_changed, AnonymousIdentity

 from app import app
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error,
-                           log_action, internal_only, NotFound, Unauthorized)
+                           log_action, internal_only, NotFound, Unauthorized, require_user_admin,
+                           require_user_read, InvalidToken)
 from endpoints.api.subscribe import subscribe
 from endpoints.common import common_login
 from data import model
@ -107,24 +108,23 @@ class User(ApiResource):
    },
  }

+  @require_user_read
  @nickname('getLoggedInUser')
  def get(self):
    """ Get user information for the authenticated user. """
    user = get_authenticated_user()
-    if user is None or user.organization:
-      return {'anonymous': True}
+    if user.organization:
+      raise InvalidToken('User must not be an organization.')

    return user_view(user)

+  @require_user_admin
  @nickname('changeUserDetails')
  @internal_only
  @validate_json_request('UpdateUser')
  def put(self):
    """ Update a users details such as password or email. """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    user_data = request.get_json()

    try:
@ -173,18 +173,15 @@ class User(ApiResource):
    except model.DataModelException as ex:
      raise request_error(exception=ex)

-
@resource('/v1/user/private')
 class PrivateRepositories(ApiResource):
  """ Operations dealing with the available count of private repositories. """
+  @require_user_admin
  @nickname('getUserPrivateAllowed')
  def get(self):
    """ Get the number of private repos this user has, and whether they are allowed to create more.
    """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    private_repos = model.get_private_repo_count(user.username)
    repos_allowed = 0

@ -252,14 +249,12 @@ class ConvertToOrganization(ApiResource):
    },
  }

+  @require_user_admin
  @nickname('convertUserToOrganization')
  @validate_json_request('ConvertUser')
  def post(self):
    """ Convert the user to an organization. """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    convert_data = request.get_json()

    # Ensure that the new admin user is the not user being converted.