pikram/user-microservice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Corrected validation if user have privileges to create admin account

Browse Source
This commit is contained in:
Marcin-Ramotowski 2025-03-16 08:03:15 +00:00
parent 983b787bbb
commit 9f5bee3696
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/user_views.py
View File

@ -1,10 +1,16 @@
from flask import Blueprint, jsonify, request, abort from flask import Blueprint, jsonify, request, abort
from flask_jwt_extended import create_access_token, set_access_cookies, jwt_required, get_jwt_identity, unset_jwt_cookies from flask_jwt_extended import create_access_token, set_access_cookies, jwt_required, verify_jwt_in_request, get_jwt_identity, unset_jwt_cookies
from models import User, db from models import User, db
from werkzeug.security import check_password_hash, generate_password_hash from werkzeug.security import check_password_hash, generate_password_hash
user_bp = Blueprint('user_bp', __name__) user_bp = Blueprint('user_bp', __name__)
@user_bp.errorhandler(403)
def forbidden_error(error):
response = jsonify(error.description)
response.status_code = 403
return response
def admin_required(user_id, message='Access denied.'): def admin_required(user_id, message='Access denied.'):
user = User.query.get(user_id) user = User.query.get(user_id)
if user is None or user.role != "Administrator": if user is None or user.role != "Administrator":
@ -35,9 +41,9 @@ def get_user(user_id):
def create_user(): def create_user():
data = request.get_json() data = request.get_json()
new_user_role = data['role'] new_user_role = data['role']
# Only administrator can create admin accounts
if new_user_role == "Administrator": if new_user_role == "Administrator":
admin_required(get_jwt_identity()) verify_jwt_in_request()
admin_required(get_jwt_identity(), message="Access denied. Only administrators can create admin accounts.")
hashed_password = generate_password_hash(data['password']) hashed_password = generate_password_hash(data['password'])
user = User(username=data['username'], email=data['email'], password=hashed_password, role=new_user_role) user = User(username=data['username'], email=data['email'], password=hashed_password, role=new_user_role)
db.session.add(user) db.session.add(user)