forked from ScoDoc/ScoDoc
API: code http 403 et non 401 si permission non accordée.
This commit is contained in:
parent
0df77b20fb
commit
b2443a2c69
@ -765,7 +765,7 @@ def justif_export(justif_id: int | None = None, filename: str | None = None):
|
|||||||
current_user.has_permission(Permission.AbsJustifView)
|
current_user.has_permission(Permission.AbsJustifView)
|
||||||
or justificatif_unique.user_id == current_user.id
|
or justificatif_unique.user_id == current_user.id
|
||||||
):
|
):
|
||||||
return json_error(401, "non autorisé à voir ce fichier")
|
return json_error(403, "non autorisé à voir ce fichier")
|
||||||
|
|
||||||
# On récupère l'archive concernée
|
# On récupère l'archive concernée
|
||||||
archive_name: str = justificatif_unique.fichier
|
archive_name: str = justificatif_unique.fichier
|
||||||
|
@ -169,7 +169,7 @@ def group_set_etudiant(group_id: int, etudid: int):
|
|||||||
if not group.partition.formsemestre.etat:
|
if not group.partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not group.partition.formsemestre.can_change_groups():
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
if etud.id not in {e.id for e in group.partition.formsemestre.etuds}:
|
if etud.id not in {e.id for e in group.partition.formsemestre.etuds}:
|
||||||
return json_error(404, "etud non inscrit au formsemestre du groupe")
|
return json_error(404, "etud non inscrit au formsemestre du groupe")
|
||||||
|
|
||||||
@ -202,7 +202,7 @@ def group_remove_etud(group_id: int, etudid: int):
|
|||||||
if not group.partition.formsemestre.etat:
|
if not group.partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not group.partition.formsemestre.can_change_groups():
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
|
|
||||||
group.remove_etud(etud)
|
group.remove_etud(etud)
|
||||||
|
|
||||||
@ -232,7 +232,7 @@ def partition_remove_etud(partition_id: int, etudid: int):
|
|||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not partition.formsemestre.can_change_groups():
|
if not partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
db.session.execute(
|
db.session.execute(
|
||||||
sa.text(
|
sa.text(
|
||||||
"""DELETE FROM group_membership
|
"""DELETE FROM group_membership
|
||||||
@ -289,7 +289,7 @@ def group_create(partition_id: int): # partition-group-create
|
|||||||
if not partition.groups_editable:
|
if not partition.groups_editable:
|
||||||
return json_error(403, "partition non editable")
|
return json_error(403, "partition non editable")
|
||||||
if not partition.formsemestre.can_change_groups():
|
if not partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
|
|
||||||
args = request.get_json(force=True) # may raise 400 Bad Request
|
args = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
group_name = args.get("group_name")
|
group_name = args.get("group_name")
|
||||||
@ -337,7 +337,7 @@ def group_delete(group_id: int):
|
|||||||
if not group.partition.groups_editable:
|
if not group.partition.groups_editable:
|
||||||
return json_error(403, "partition non editable")
|
return json_error(403, "partition non editable")
|
||||||
if not group.partition.formsemestre.can_change_groups():
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
formsemestre_id = group.partition.formsemestre_id
|
formsemestre_id = group.partition.formsemestre_id
|
||||||
log(f"deleting {group}")
|
log(f"deleting {group}")
|
||||||
db.session.delete(group)
|
db.session.delete(group)
|
||||||
@ -378,7 +378,7 @@ def group_edit(group_id: int):
|
|||||||
if not group.partition.groups_editable:
|
if not group.partition.groups_editable:
|
||||||
return json_error(403, "partition non editable")
|
return json_error(403, "partition non editable")
|
||||||
if not group.partition.formsemestre.can_change_groups():
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
|
|
||||||
args = request.get_json(force=True) # may raise 400 Bad Request
|
args = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
if "group_name" in args:
|
if "group_name" in args:
|
||||||
@ -423,7 +423,7 @@ def group_set_edt_id(group_id: int, edt_id: str):
|
|||||||
)
|
)
|
||||||
group: GroupDescr = query.first_or_404()
|
group: GroupDescr = query.first_or_404()
|
||||||
if not group.partition.formsemestre.can_change_groups():
|
if not group.partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
log(f"group_set_edt_id( {group_id}, '{edt_id}' )")
|
log(f"group_set_edt_id( {group_id}, '{edt_id}' )")
|
||||||
group.edt_id = edt_id
|
group.edt_id = edt_id
|
||||||
db.session.add(group)
|
db.session.add(group)
|
||||||
@ -461,7 +461,7 @@ def partition_create(formsemestre_id: int):
|
|||||||
if not formsemestre.etat:
|
if not formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not formsemestre.can_change_groups():
|
if not formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
data = request.get_json(force=True) # may raise 400 Bad Request
|
data = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
partition_name = data.get("partition_name")
|
partition_name = data.get("partition_name")
|
||||||
if partition_name is None:
|
if partition_name is None:
|
||||||
@ -523,7 +523,7 @@ def formsemestre_set_partitions_order(formsemestre_id: int):
|
|||||||
if not formsemestre.etat:
|
if not formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not formsemestre.can_change_groups():
|
if not formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
partition_ids = request.get_json(force=True) # may raise 400 Bad Request
|
partition_ids = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
if not isinstance(partition_ids, list) and not all(
|
if not isinstance(partition_ids, list) and not all(
|
||||||
isinstance(x, int) for x in partition_ids
|
isinstance(x, int) for x in partition_ids
|
||||||
@ -569,7 +569,7 @@ def partition_order_groups(partition_id: int):
|
|||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not partition.formsemestre.can_change_groups():
|
if not partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
group_ids = request.get_json(force=True) # may raise 400 Bad Request
|
group_ids = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
if not isinstance(group_ids, list) and not all(
|
if not isinstance(group_ids, list) and not all(
|
||||||
isinstance(x, int) for x in group_ids
|
isinstance(x, int) for x in group_ids
|
||||||
@ -623,7 +623,7 @@ def partition_edit(partition_id: int):
|
|||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not partition.formsemestre.can_change_groups():
|
if not partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
data = request.get_json(force=True) # may raise 400 Bad Request
|
data = request.get_json(force=True) # may raise 400 Bad Request
|
||||||
modified = False
|
modified = False
|
||||||
partition_name = data.get("partition_name")
|
partition_name = data.get("partition_name")
|
||||||
@ -689,7 +689,7 @@ def partition_delete(partition_id: int):
|
|||||||
if not partition.formsemestre.etat:
|
if not partition.formsemestre.etat:
|
||||||
return json_error(403, "formsemestre verrouillé")
|
return json_error(403, "formsemestre verrouillé")
|
||||||
if not partition.formsemestre.can_change_groups():
|
if not partition.formsemestre.can_change_groups():
|
||||||
return json_error(401, "opération non autorisée")
|
return json_error(403, "opération non autorisée")
|
||||||
if not partition.partition_name:
|
if not partition.partition_name:
|
||||||
return json_error(
|
return json_error(
|
||||||
API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"
|
API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"
|
||||||
|
Loading…
Reference in New Issue
Block a user