fix dep user for endpoints

2025-09-28 22:18:23 +03:00
parent 23927e5347
commit ddaa5b0c74
3 changed files with 27 additions and 25 deletions
--- a/src/api/v1/users.py
+++ b/src/api/v1/users.py
@@ -4,7 +4,6 @@ from src.api.dependacies.db_dep import sessionDep
 from src.api.dependacies.user_dep import (
    ActiveUser,
    AdminUser,
-    OwnerDep,
 )
 from src.core.settings import settings
 from src.schemas.users import UserUpdate
@@ -20,7 +19,7 @@ async def get_all_users(session: sessionDep, _: AdminUser):


@router.get("/{id}")
-async def get_user_by_id(session: sessionDep, id: int, _: OwnerDep):
+async def get_user_by_id(session: sessionDep, id: int, _: AdminUser):
    user = await UserService(session).get_user_by_filter_or_raise(id=id)
    return user

@@ -39,9 +38,11 @@ async def get_user_tasks(session: sessionDep, id: int, user: ActiveUser):
 async def patch_user(
    session: sessionDep,
    id: int,
-    _: OwnerDep,
+    user: ActiveUser,
    user_update: UserUpdate = Body(),
 ):
+    if user.id != id and user.is_superuser is False:
+        raise HTTPException(status_code=403, detail="Forbidden")
    updated_user = await UserService(session).update_user(
        id=id, update_data=user_update
    )
@@ -49,6 +50,6 @@ async def patch_user(


@router.delete("/{id}")
-async def delete_user(session: sessionDep, id: int, _: AdminUser):
+async def delete_user(session: sessionDep, id: int, user: AdminUser):
    await UserService(session).delete_user(id)
    return {"message": "User deleted successfully"}