add permission checks to api

front-matter · Oct 30, 2024 · 25892c4 · 25892c4
1 parent 9b7ec84
commit 25892c4
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/api/__init__.py b/api/__init__.py
@@ -249,6 +249,13 @@ async def blog(slug):
 async def post_blog(slug):
     """Update blog by slug, using information from the blog's feed.
     Create InvenioRDM entry for the blog."""
+    if (
+        request.headers.get("Authorization", None) is None
+        or request.headers.get("Authorization").split(" ")[1]
+        != environ["QUART_SUPABASE_SERVICE_ROLE_KEY"]
+    ):
+        return {"error": "Unauthorized."}, 401
+
     result = await extract_single_blog(slug)
     return jsonify(result)
 
@@ -392,6 +399,12 @@ async def post_posts():
 @app.route("/posts/<slug>/<suffix>", methods=["POST"])
 async def post_post(slug: str, suffix: Optional[str] = None):
     """Update post by either uuid or doi, using information from the blog's feed."""
+    if (
+        request.headers.get("Authorization", None) is None
+        or request.headers.get("Authorization").split(" ")[1]
+        != environ["QUART_SUPABASE_SERVICE_ROLE_KEY"]
+    ):
+        return {"error": "Unauthorized."}, 401
 
     try:
         result = await update_single_post(slug, suffix=suffix)
@@ -670,6 +683,18 @@ async def delete_record(slug: str):
         return {"error": "An error occured."}, 400
 
 
+# @app.route("/communities/<slug>/featured", methods=["POST"])
+# async def feature_community(slug: str):
+#     """feature InvenioRDM community using slug."""
+#     try:
+#         community_id = await get_community_id(slug)
+#         result = await get_community(slug)
+#         return jsonify(result)
+#     except Exception as e:
+#         logger.warning(e.args[0])
+#         return {"error": "An error occured."}, 400
+
+
 @app.errorhandler(RequestSchemaValidationError)
 async def handle_request_validation_error():
     return {"error": "VALIDATION"}, 400
diff --git a/api/blogs.py b/api/blogs.py
@@ -136,7 +136,7 @@ async def extract_single_blog(slug: str):
             language = language.split("-")[0]
     except Exception as error:
         print(error)
-        
+
         home_page_url = config["home_page_url"]
         updated_at = config["updated_at"] or 0
         feed_format = config["feed_format"]
@@ -425,8 +425,34 @@ def upload_blog_logo(blog):
         return None
 
 
+# def get_community(slug):
+#     """Get InvenioRDM community by slug."""
+#     try:
+#         url = f"{environ['QUART_INVENIORDM_API']}/api/communities?q=slug:{slug}"
+#         response = httpx.get(url, timeout=10)
+#         print(response.json())
+#         return response.json()
+#         # result = response.json()
+#         # if py_.get(result, "hits.total") != 1:
+#         #     return result
+#         # return py_.pick(
+#         #     result,
+#         #     [
+#         #         "hits.hits[0].id",
+#         #         "hits.hits[0].metadata.type.id",
+#         #         "hits.hits[0].metadata.title",
+#         #         "hits.hits[0].metadata.description",
+#         #         "hits.hits[0].metadata.website",
+#         #         "hits.hits[0].metadata.logo",
+#         #     ],
+#         # )
+#     except Exception as error:
+#         print(error)
+#         return None
+
+
 def feature_community(id):
-    """Feature an InvenioRDM community."""
+    """Feature an InvenioRDM community by id."""
     try:
         url = f"{environ['QUART_INVENIORDM_API']}/api/communities/{id}/featured"
         headers = {"Authorization": f"Bearer {environ['QUART_INVENIORDM_TOKEN']}"}