fixes
This commit is contained in:
ValueOn AG
parent
19be818fbb
commit
4b531dbf15
1 changed files with 23 additions and 4 deletions
|
|
@ -343,6 +343,26 @@ def create_mandate(
|
|||
|
||||
_MANDATE_ADMIN_EDITABLE_FIELDS = {"label"}
|
||||
|
||||
def _isUserAdminOfMandate(userId: str, targetMandateId: str) -> bool:
|
||||
"""Check mandate-admin without RequestContext (avoids Header param conflicts)."""
|
||||
try:
|
||||
rootInterface = interfaceDbApp.getRootInterface()
|
||||
userMandates = rootInterface.getUserMandates(userId)
|
||||
for um in userMandates:
|
||||
if str(getattr(um, 'mandateId', '')) != str(targetMandateId):
|
||||
continue
|
||||
umId = getattr(um, 'id', None)
|
||||
if not umId:
|
||||
continue
|
||||
roleIds = rootInterface.getRoleIdsForUserMandate(str(umId))
|
||||
for roleId in roleIds:
|
||||
role = rootInterface.getRole(roleId)
|
||||
if role and role.roleLabel == "admin" and not role.featureInstanceId:
|
||||
return True
|
||||
except Exception as e:
|
||||
logger.error(f"Error checking mandate admin: {e}")
|
||||
return False
|
||||
|
||||
@router.put("/{mandateId}", response_model=Mandate)
|
||||
@limiter.limit("10/minute")
|
||||
def update_mandate(
|
||||
|
|
@ -358,12 +378,11 @@ def update_mandate(
|
|||
- MandateAdmin: only label
|
||||
"""
|
||||
from modules.auth import _hasSysAdminRole as _checkSysAdminRole
|
||||
isSysAdmin = _checkSysAdminRole(str(currentUser.id))
|
||||
userId = str(currentUser.id)
|
||||
isSysAdmin = _checkSysAdminRole(userId)
|
||||
|
||||
if not isSysAdmin:
|
||||
context = getRequestContext(request, currentUser=currentUser)
|
||||
isMandateAdmin = _hasMandateAdminRole(context, mandateId)
|
||||
if not isMandateAdmin:
|
||||
if not _isUserAdminOfMandate(userId, mandateId):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail=routeApiMsg("Admin role required to update mandate")
|
||||
|
|
|
|||
Loading…
Reference in a new issue