From 822ca69ccb22160e77a8af66cda1f2de0674b006 Mon Sep 17 00:00:00 2001 From: Marcin-Ramotowski Date: Sat, 15 Mar 2025 19:08:59 +0000 Subject: [PATCH] Corrected error handling during access validation --- api/user_views.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/api/user_views.py b/api/user_views.py index 8f01b50..dcad3fd 100644 --- a/api/user_views.py +++ b/api/user_views.py @@ -8,14 +8,20 @@ user_bp = Blueprint('user_bp', __name__) def admin_required(user_id): user = User.query.get(user_id) if user is None or user.role != "Administrator": - return jsonify({'error': f'Access denied.'}), 403 + abort(403, {'error': f'Access denied.'}) def validate_access(owner_id): # Check if user try to access or edit resource that does not belong to them logged_user_id = int(get_jwt_identity()) logged_user_role = User.query.get(logged_user_id).role if logged_user_role != "Administrator" and logged_user_id != owner_id: - return jsonify({'error': f'Access denied.'}), 403 + abort(403, {'error': f'Access denied.'}) + +@user_bp.errorhandler(403) +def forbidden_error(error): + response = jsonify(error.description) + response.status_code = 403 + return response @user_bp.route('/users', methods=['GET']) @jwt_required()