implement visible authorisation

2021-07-02 16:33:48 +02:00 · 2021-07-02 16:33:48 +02:00 · 4ca8660b1d
commit 4ca8660b1d
parent 9f4795b9f1
2 changed files with 8 additions and 0 deletions
--- a/ki/routes.py
+++ b/ki/routes.py
@ -116,6 +116,9 @@ def get_user_profile(user_id):
    if profile is None:
        return make_response({}, 404)

+    if not profile.visible and profile.user.id != g.user.id:
+        return make_response({}, 403)
+
    return make_response({
        "profile": profile.to_dict(),
    })
--- a/ki/test/test_profile_endpoint.py
+++ b/ki/test/test_profile_endpoint.py
@ -139,6 +139,11 @@ class TestProfileEndpoint(ApiTest):
            self.assertEqual(second_language.language_id, "es")
            self.assertEqual(second_language.level, 2)

+    def test_get_profile_unauthorised(self):
+
+        response = self.client.get("/users/1/profile")
+        self.assertEqual(response.status_code, 401)
+
    def test_get_profile(self):
        login_data = {"username": "peter", "password": "geheim"}
        login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")