From 4ca8660b1d968eaf7bc5fe50aae433c00d39064f Mon Sep 17 00:00:00 2001 From: Michael Weimann Date: Fri, 2 Jul 2021 16:33:48 +0200 Subject: [PATCH] implement visible authorisation --- ki/routes.py | 3 +++ ki/test/test_profile_endpoint.py | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/ki/routes.py b/ki/routes.py index f9e700d..ac13884 100644 --- a/ki/routes.py +++ b/ki/routes.py @@ -116,6 +116,9 @@ def get_user_profile(user_id): if profile is None: return make_response({}, 404) + if not profile.visible and profile.user.id != g.user.id: + return make_response({}, 403) + return make_response({ "profile": profile.to_dict(), }) diff --git a/ki/test/test_profile_endpoint.py b/ki/test/test_profile_endpoint.py index 626d104..33b786b 100644 --- a/ki/test/test_profile_endpoint.py +++ b/ki/test/test_profile_endpoint.py @@ -139,6 +139,11 @@ class TestProfileEndpoint(ApiTest): self.assertEqual(second_language.language_id, "es") self.assertEqual(second_language.level, 2) + def test_get_profile_unauthorised(self): + + response = self.client.get("/users/1/profile") + self.assertEqual(response.status_code, 401) + def test_get_profile(self): login_data = {"username": "peter", "password": "geheim"} login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")