From 35774ee6094bbf907ccd9651e6da49d07a95ff62 Mon Sep 17 00:00:00 2001 From: Chidubem Date: Sun, 2 Mar 2025 00:08:16 +0000 Subject: [PATCH] feat: refactored billing plan endpoints to include restrictions to authorized users (super-admin, billing and org_owner) --- api/utils/dependencies.py | 32 ++++++++++++++++++++++++++++++++ api/v1/routes/billing_plan.py | 8 +++++--- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/api/utils/dependencies.py b/api/utils/dependencies.py index c1e540504..35154baa8 100644 --- a/api/utils/dependencies.py +++ b/api/utils/dependencies.py @@ -6,8 +6,12 @@ from datetime import datetime, timedelta from api.v1.models.user import User from api.v1.schemas.token import TokenData +from api.v1.schemas.user import ProfileData from api.db.database import get_db from .config import SECRET_KEY, ALGORITHM +from api.v1.services.user import user_service +from api.v1.services.profile import profile_service +from api.v1.services.organisation import organisation_service import logging @@ -56,3 +60,31 @@ def get_super_admin(db: Session = Depends(get_db), token: str = Depends(oauth2_s ) logger.debug("User is super admin") return user + + +def get_authorized_user( + db: Session = Depends(get_db), + current_user: User = Depends(user_service.get_current_user), +) -> User: + """ + Dependency to get the current user and check if they are a super admin, + in the billing department, or an owner. + """ + if current_user.is_superadmin: + return current_user + + profile = profile_service.fetch_by_user_id(db, current_user.id) + current_user_profile = ProfileData.model_validate(profile, from_attributes=True) + if current_user_profile.department == "billing": + return current_user + + + organisation = organisation_service.retrieve_user_organizations(current_user, db) + # Check if the user is an owner + if "owner" in organisation[0].user_role: + return current_user + + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail="You do not have the necessary permissions to access this resource." + ) diff --git a/api/v1/routes/billing_plan.py b/api/v1/routes/billing_plan.py index dd467996a..37ee66490 100644 --- a/api/v1/routes/billing_plan.py +++ b/api/v1/routes/billing_plan.py @@ -13,6 +13,7 @@ from api.v1.schemas.plans import ( CreateBillingPlanSchema, CreateBillingPlanResponse, GetBillingPlanListResponse ) +from api.utils.dependencies import get_authorized_user bill_plan = APIRouter(prefix="/organisations", tags=["Billing-Plan"]) @@ -40,7 +41,7 @@ async def retrieve_all_billing_plans( @bill_plan.post("/billing-plans", response_model=CreateBillingPlanResponse) async def create_new_billing_plan( request: CreateBillingPlanSchema, - _: User = Depends(user_service.get_current_super_admin), + _: User = Depends(get_authorized_user), db: Session = Depends(get_db), ): """ @@ -60,7 +61,8 @@ async def create_new_billing_plan( async def update_a_billing_plan( billing_plan_id: str, request: CreateBillingPlanSchema, - _: User = Depends(user_service.get_current_super_admin), + _: User = Depends(get_authorized_user), + # _: User = Depends(user_service.get_current_super_admin), db: Session = Depends(get_db), ): """ @@ -79,7 +81,7 @@ async def update_a_billing_plan( @bill_plan.delete("/billing-plans/{billing_plan_id}", response_model=success_response) async def delete_a_billing_plan( billing_plan_id: str, - _: User = Depends(user_service.get_current_super_admin), + _: User = Depends(get_authorized_user), db: Session = Depends(get_db), ): """