From 4b531dbf159b0764cc97edc40ffdb90e1ac685cd Mon Sep 17 00:00:00 2001 From: ValueOn AG Date: Fri, 17 Apr 2026 11:51:26 +0200 Subject: [PATCH] fixes --- modules/routes/routeDataMandates.py | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/modules/routes/routeDataMandates.py b/modules/routes/routeDataMandates.py index 9c48ccd1..3c3da3a5 100644 --- a/modules/routes/routeDataMandates.py +++ b/modules/routes/routeDataMandates.py @@ -343,6 +343,26 @@ def create_mandate( _MANDATE_ADMIN_EDITABLE_FIELDS = {"label"} +def _isUserAdminOfMandate(userId: str, targetMandateId: str) -> bool: + """Check mandate-admin without RequestContext (avoids Header param conflicts).""" + try: + rootInterface = interfaceDbApp.getRootInterface() + userMandates = rootInterface.getUserMandates(userId) + for um in userMandates: + if str(getattr(um, 'mandateId', '')) != str(targetMandateId): + continue + umId = getattr(um, 'id', None) + if not umId: + continue + roleIds = rootInterface.getRoleIdsForUserMandate(str(umId)) + for roleId in roleIds: + role = rootInterface.getRole(roleId) + if role and role.roleLabel == "admin" and not role.featureInstanceId: + return True + except Exception as e: + logger.error(f"Error checking mandate admin: {e}") + return False + @router.put("/{mandateId}", response_model=Mandate) @limiter.limit("10/minute") def update_mandate( @@ -358,12 +378,11 @@ def update_mandate( - MandateAdmin: only label """ from modules.auth import _hasSysAdminRole as _checkSysAdminRole - isSysAdmin = _checkSysAdminRole(str(currentUser.id)) + userId = str(currentUser.id) + isSysAdmin = _checkSysAdminRole(userId) if not isSysAdmin: - context = getRequestContext(request, currentUser=currentUser) - isMandateAdmin = _hasMandateAdminRole(context, mandateId) - if not isMandateAdmin: + if not _isUserAdminOfMandate(userId, mandateId): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail=routeApiMsg("Admin role required to update mandate")