fix dep user for endpoints

src/api/v1/tasks.py

@@ -1,28 +1,20 @@
 from typing import Annotated
 
-from fastapi import APIRouter, Body, Depends
+from fastapi import APIRouter, Body, Depends, HTTPException
 
 from src.api.dependacies.db_dep import sessionDep
-from src.api.dependacies.task_dep import TaskFilterDep
-from src.api.dependacies.user_dep import ActiveUser, TaskOwnerDep
+from src.api.dependacies.user_dep import ActiveUser
 from src.schemas.tasks import TaskADDRequest, TaskPATCHRequest
 from src.services.tasks import TaskService
-from src.services.users import UserService
 
 router = APIRouter(prefix="/tasks", tags=["Tasks"])
 
 
-@router.get("/")
-async def get_tasks(session: sessionDep, user: ActiveUser, filter: TaskFilterDep):
-    result = await UserService(session).get_user_with_tasks(
-        user_id=user.id, **filter.model_dump(exclude_unset=True)
-    )
-    return result
-
-
 @router.get("/{id}")
-async def get_task_id(session: sessionDep, id: int, _: TaskOwnerDep):
+async def get_task_id(session: sessionDep, id: int, user: ActiveUser):
     task = await TaskService(session).get_task(id)
+    if task.user_id != user.id and user.is_superuser is False:
+        raise HTTPException(status_code=403, detail="Forbidden")
     return task
 
 
@@ -42,17 +34,26 @@ async def post_task(
 async def patch_task(
     session: sessionDep,
     id: int,
-    _: TaskOwnerDep,
+    user: ActiveUser,
     task_data: TaskPATCHRequest = Body(),
 ):
-    task = await TaskService(session).update_task(id, task_data)
-    return task
+    if user.is_superuser is False:
+        task = await TaskService(session).get_task(id)
+        if task.user_id != user.id:
+            raise HTTPException(status_code=403, detail="Forbidden")
+    updated_task = await TaskService(session).update_task(id, task_data)
+    return updated_task
 
 
 @router.delete("/{id}")
 async def delete_task(
     session: sessionDep,
     id: int,
-    _: TaskOwnerDep,
+    user: ActiveUser,
 ):
+    if user.is_superuser is False:
+        task = await TaskService(session).get_task(id)
+        if task.user_id != user.id:
+            raise HTTPException(status_code=403, detail="Forbidden")
     await TaskService(session).delete_task(id)
+    return {"message": "Task deleted successfully"}

src/api/v1/users.py

@@ -4,7 +4,6 @@ from src.api.dependacies.db_dep import sessionDep
 from src.api.dependacies.user_dep import (
     ActiveUser,
     AdminUser,
-    OwnerDep,
 )
 from src.core.settings import settings
 from src.schemas.users import UserUpdate
@@ -20,7 +19,7 @@ async def get_all_users(session: sessionDep, _: AdminUser):
 
 
 @router.get("/{id}")
-async def get_user_by_id(session: sessionDep, id: int, _: OwnerDep):
+async def get_user_by_id(session: sessionDep, id: int, _: AdminUser):
     user = await UserService(session).get_user_by_filter_or_raise(id=id)
     return user
 
@@ -39,9 +38,11 @@ async def get_user_tasks(session: sessionDep, id: int, user: ActiveUser):
 async def patch_user(
     session: sessionDep,
     id: int,
-    _: OwnerDep,
+    user: ActiveUser,
     user_update: UserUpdate = Body(),
 ):
+    if user.id != id and user.is_superuser is False:
+        raise HTTPException(status_code=403, detail="Forbidden")
     updated_user = await UserService(session).update_user(
         id=id, update_data=user_update
     )
@@ -49,6 +50,6 @@ async def patch_user(
 
 
 @router.delete("/{id}")
-async def delete_user(session: sessionDep, id: int, _: AdminUser):
+async def delete_user(session: sessionDep, id: int, user: AdminUser):
     await UserService(session).delete_user(id)
     return {"message": "User deleted successfully"}