From 65255f2a8ec76aef251b17e5568fd31432161712 Mon Sep 17 00:00:00 2001 From: LiuHua <10215101452@stu.ecnu.edu.cn> Date: Wed, 4 Sep 2024 11:53:45 +0800 Subject: [PATCH] Add Authorization checks (#2235) ### What problem does this PR solve? Add Authorization checks ### Type of change - [x] New Feature (non-breaking change which adds functionality) Co-authored-by: Feiue <10215101452@stu.ecun.edu.cn> --- api/apps/canvas_app.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/api/apps/canvas_app.py b/api/apps/canvas_app.py index 982f62542..acc173dde 100644 --- a/api/apps/canvas_app.py +++ b/api/apps/canvas_app.py @@ -68,8 +68,11 @@ def save(): if not UserCanvasService.save(**req): return get_data_error_result(retmsg="Fail to save canvas.") else: + if not UserCanvasService.query(user_id=current_user.id, id=req["id"]): + return get_json_result( + data=False, retmsg=f'Only owner of canvas authorized for this operation.', + retcode=RetCode.OPERATING_ERROR) UserCanvasService.update_by_id(req["id"], req) - return get_json_result(data=req) @@ -91,6 +94,10 @@ def run(): e, cvs = UserCanvasService.get_by_id(req["id"]) if not e: return get_data_error_result(retmsg="canvas not found.") + if not UserCanvasService.query(user_id=current_user.id, id=req["id"]): + return get_json_result( + data=False, retmsg=f'Only owner of canvas authorized for this operation.', + retcode=RetCode.OPERATING_ERROR) if not isinstance(cvs.dsl, str): cvs.dsl = json.dumps(cvs.dsl, ensure_ascii=False) @@ -157,6 +164,10 @@ def reset(): e, user_canvas = UserCanvasService.get_by_id(req["id"]) if not e: return get_data_error_result(retmsg="canvas not found.") + if not UserCanvasService.query(user_id=current_user.id, id=req["id"]): + return get_json_result( + data=False, retmsg=f'Only owner of canvas authorized for this operation.', + retcode=RetCode.OPERATING_ERROR) canvas = Canvas(json.dumps(user_canvas.dsl), current_user.id) canvas.reset()