diff --git a/src/api/v1/tasks.py b/src/api/v1/tasks.py index 27e4edd..4ea7fb7 100644 --- a/src/api/v1/tasks.py +++ b/src/api/v1/tasks.py @@ -1,28 +1,20 @@ from typing import Annotated -from fastapi import APIRouter, Body, Depends +from fastapi import APIRouter, Body, Depends, HTTPException from src.api.dependacies.db_dep import sessionDep -from src.api.dependacies.task_dep import TaskFilterDep -from src.api.dependacies.user_dep import ActiveUser, TaskOwnerDep +from src.api.dependacies.user_dep import ActiveUser from src.schemas.tasks import TaskADDRequest, TaskPATCHRequest from src.services.tasks import TaskService -from src.services.users import UserService router = APIRouter(prefix="/tasks", tags=["Tasks"]) -@router.get("/") -async def get_tasks(session: sessionDep, user: ActiveUser, filter: TaskFilterDep): - result = await UserService(session).get_user_with_tasks( - user_id=user.id, **filter.model_dump(exclude_unset=True) - ) - return result - - @router.get("/{id}") -async def get_task_id(session: sessionDep, id: int, _: TaskOwnerDep): +async def get_task_id(session: sessionDep, id: int, user: ActiveUser): task = await TaskService(session).get_task(id) + if task.user_id != user.id and user.is_superuser is False: + raise HTTPException(status_code=403, detail="Forbidden") return task @@ -42,17 +34,26 @@ async def post_task( async def patch_task( session: sessionDep, id: int, - _: TaskOwnerDep, + user: ActiveUser, task_data: TaskPATCHRequest = Body(), ): - task = await TaskService(session).update_task(id, task_data) - return task + if user.is_superuser is False: + task = await TaskService(session).get_task(id) + if task.user_id != user.id: + raise HTTPException(status_code=403, detail="Forbidden") + updated_task = await TaskService(session).update_task(id, task_data) + return updated_task @router.delete("/{id}") async def delete_task( session: sessionDep, id: int, - _: TaskOwnerDep, + user: ActiveUser, ): + if user.is_superuser is False: + task = await TaskService(session).get_task(id) + if task.user_id != user.id: + raise HTTPException(status_code=403, detail="Forbidden") await TaskService(session).delete_task(id) + return {"message": "Task deleted successfully"} diff --git a/src/api/v1/users.py b/src/api/v1/users.py index 9091579..c0da29e 100644 --- a/src/api/v1/users.py +++ b/src/api/v1/users.py @@ -4,7 +4,6 @@ from src.api.dependacies.db_dep import sessionDep from src.api.dependacies.user_dep import ( ActiveUser, AdminUser, - OwnerDep, ) from src.core.settings import settings from src.schemas.users import UserUpdate @@ -20,7 +19,7 @@ async def get_all_users(session: sessionDep, _: AdminUser): @router.get("/{id}") -async def get_user_by_id(session: sessionDep, id: int, _: OwnerDep): +async def get_user_by_id(session: sessionDep, id: int, _: AdminUser): user = await UserService(session).get_user_by_filter_or_raise(id=id) return user @@ -39,9 +38,11 @@ async def get_user_tasks(session: sessionDep, id: int, user: ActiveUser): async def patch_user( session: sessionDep, id: int, - _: OwnerDep, + user: ActiveUser, user_update: UserUpdate = Body(), ): + if user.id != id and user.is_superuser is False: + raise HTTPException(status_code=403, detail="Forbidden") updated_user = await UserService(session).update_user( id=id, update_data=user_update ) @@ -49,6 +50,6 @@ async def patch_user( @router.delete("/{id}") -async def delete_user(session: sessionDep, id: int, _: AdminUser): +async def delete_user(session: sessionDep, id: int, user: AdminUser): await UserService(session).delete_user(id) return {"message": "User deleted successfully"} diff --git a/src/services/tasks.py b/src/services/tasks.py index 8d43720..f093e05 100644 --- a/src/services/tasks.py +++ b/src/services/tasks.py @@ -1,13 +1,10 @@ from fastapi import HTTPException -from src.models.tasks import TasksORM from src.schemas.tasks import Task, TaskADDRequest, TaskPATCHRequest from src.services.base import BaseService class TaskService(BaseService): - model = TasksORM - async def create_task(self, user_id: int, task_data: TaskADDRequest) -> Task: user = await self.session.user.get_one_or_none(id=user_id) if user is None: @@ -29,7 +26,10 @@ class TaskService(BaseService): await self.session.commit() async def update_task( - self, task_id: int, task_data: TaskPATCHRequest, exclude_unset: bool = True + self, + task_id: int, + task_data: TaskPATCHRequest, + exclude_unset: bool = True, ): task = await self.session.task.update_one( id=task_id, data=task_data.model_dump(exclude_unset=exclude_unset)