diff options
author | Cédric Bonhomme <cedric@cedricbonhomme.org> | 2016-04-19 12:50:17 +0200 |
---|---|---|
committer | Cédric Bonhomme <cedric@cedricbonhomme.org> | 2016-04-19 12:50:17 +0200 |
commit | 1b8b4e7786d5fd29ee528407590c88dffdd15714 (patch) | |
tree | f0220866cc8fcbc283082bef3bc63dea0000e775 /src | |
parent | Test preprocessors with Flask-Restless. (diff) | |
download | newspipe-1b8b4e7786d5fd29ee528407590c88dffdd15714.tar.gz newspipe-1b8b4e7786d5fd29ee528407590c88dffdd15714.tar.bz2 newspipe-1b8b4e7786d5fd29ee528407590c88dffdd15714.zip |
Check is the user is authenticated before checking if the user is authorized to access to the object.
Diffstat (limited to 'src')
-rw-r--r-- | src/web/views/api/v3/article.py | 4 | ||||
-rw-r--r-- | src/web/views/api/v3/common.py | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/src/web/views/api/v3/article.py b/src/web/views/api/v3/article.py index 2f276170..da75dc47 100644 --- a/src/web/views/api/v3/article.py +++ b/src/web/views/api/v3/article.py @@ -1,9 +1,9 @@ from web import models from bootstrap import application, manager -from web.views.api.v3.common import check_auth +from web.views.api.v3.common import auth_func, check_auth blueprint_article = manager.create_api_blueprint(models.Article, methods=['GET', 'POST', 'PUT', 'DELETE'], - preprocessors=dict(GET_SINGLE=[check_auth])) + preprocessors=dict(GET_SINGLE=[auth_func, check_auth])) application.register_blueprint(blueprint_article) diff --git a/src/web/views/api/v3/common.py b/src/web/views/api/v3/common.py index f5bd2dea..8831b8ba 100644 --- a/src/web/views/api/v3/common.py +++ b/src/web/views/api/v3/common.py @@ -1,10 +1,14 @@ from flask.ext.login import current_user +from flask.ext.restless import ProcessingException from web.controllers import ArticleController def is_authorized_to_modify(user, obj): return user.id == obj.user_id +def auth_func(*args, **kw): + if not current_user.is_authenticated: + raise ProcessingException(description='Not authenticated!', code=401) def check_auth(instance_id=None, **kw): # Check if the user is authorized to modify the specified |