31 lines
1.2 KiB
Python
31 lines
1.2 KiB
Python
from fastapi import Depends, HTTPException, status, Path, Request
|
||
from . import JWT
|
||
from server.database import db
|
||
|
||
def check_permission(required: str):
|
||
async def wrapper(
|
||
request: Request,
|
||
current_user = Depends(JWT.current_user),
|
||
):
|
||
requested_email = request.path_params.get("email")
|
||
user = await db.get_user_by_email(current_user)
|
||
perms = user.permissions[0]
|
||
# если админ → разрешено всегда
|
||
if perms.is_admin:
|
||
return user
|
||
# проверяем, что у пользователя есть нужное право
|
||
if not getattr(perms, required, False):
|
||
raise HTTPException(
|
||
status_code=status.HTTP_403_FORBIDDEN,
|
||
detail=f"You don't have a permission"
|
||
)
|
||
# проверяем, что работает только со своим email
|
||
if current_user.lower() != requested_email.lower():
|
||
raise HTTPException(
|
||
status_code=status.HTTP_403_FORBIDDEN,
|
||
detail=f"You can only do this with your own account"
|
||
)
|
||
|
||
return user
|
||
return wrapper
|