Geoapi: checkviewable permissions

2024-01-03 12:24:13 +05:30 · 2024-01-03 12:24:13 +05:30 · f04aac5667
commit f04aac5667
parent 76a4e8f023
3 changed files with 23 additions and 10 deletions
--- a/src/gisaf/geoapi.py
+++ b/src/gisaf/geoapi.py
@ -7,12 +7,14 @@ import logging
 from typing import Annotated
 from asyncio import CancelledError

-from fastapi import (FastAPI, HTTPException, Response, Header, WebSocket, WebSocketDisconnect,
+from fastapi import (Depends, FastAPI, HTTPException, Response, Header, WebSocket, WebSocketDisconnect,
                     status, responses)

+from gisaf.models.authentication import User
 from gisaf.redis_tools import store as redis_store
 from gisaf.live import live_server
 from gisaf.registry import registry
+from gisaf.security import get_current_active_user, can_view


 logger = logging.getLogger(__name__)
@ -72,6 +74,7 @@ async def live_layer(store: str, websocket: WebSocket):

@api.get('/{store_name}')
 async def get_geojson(store_name,
+                      user: User = Depends(get_current_active_user),
                      If_None_Match: Annotated[str | None, Header()] = None,
                      simplify: Annotated[float | None, Header()] = 50.0,
                      ):
@ -86,8 +89,10 @@ async def get_geojson(store_name,
    except KeyError:
        raise HTTPException(status.HTTP_404_NOT_FOUND)

-    if hasattr(model, 'viewable_role') and model.viewable_role:
-        await check_permission(request, model.viewable_role)
+    if hasattr(model, 'viewable_role'):
+        if not(user and user.can_view(model)):
+            logger.info(f'{user.username if user else "Anonymous"} tried to access {model}')
+            raise HTTPException(status.HTTP_401_UNAUTHORIZED)

    if await redis_store.has_channel(store_name):
        ## Live layers