Harden user-scoped subscription route access checks
This commit is contained in:
@@ -10,6 +10,8 @@ from loguru import logger
|
||||
|
||||
from services.database import get_db
|
||||
from models.subscription_models import UsageAlert
|
||||
from middleware.auth_middleware import get_current_user
|
||||
from ..dependencies import verify_user_access
|
||||
|
||||
router = APIRouter()
|
||||
|
||||
@@ -19,9 +21,12 @@ async def get_usage_alerts(
|
||||
user_id: str,
|
||||
unread_only: bool = Query(False, description="Only return unread alerts"),
|
||||
limit: int = Query(50, ge=1, le=100, description="Maximum number of alerts"),
|
||||
db: Session = Depends(get_db)
|
||||
db: Session = Depends(get_db),
|
||||
current_user: Dict[str, Any] = Depends(get_current_user)
|
||||
) -> Dict[str, Any]:
|
||||
"""Get usage alerts for a user."""
|
||||
|
||||
verify_user_access(user_id, current_user)
|
||||
|
||||
try:
|
||||
query = db.query(UsageAlert).filter(
|
||||
@@ -79,16 +84,20 @@ async def get_usage_alerts(
|
||||
@router.post("/alerts/{alert_id}/mark-read")
|
||||
async def mark_alert_read(
|
||||
alert_id: int,
|
||||
db: Session = Depends(get_db)
|
||||
db: Session = Depends(get_db),
|
||||
current_user: Dict[str, Any] = Depends(get_current_user)
|
||||
) -> Dict[str, Any]:
|
||||
"""Mark an alert as read."""
|
||||
|
||||
try:
|
||||
alert = db.query(UsageAlert).filter(UsageAlert.id == alert_id).first()
|
||||
|
||||
|
||||
if not alert:
|
||||
raise HTTPException(status_code=404, detail="Alert not found")
|
||||
|
||||
|
||||
if str(alert.user_id) != str(current_user.get("id")):
|
||||
raise HTTPException(status_code=403, detail="Access denied")
|
||||
|
||||
alert.is_read = True
|
||||
alert.read_at = datetime.utcnow()
|
||||
db.commit()
|
||||
@@ -98,6 +107,8 @@ async def mark_alert_read(
|
||||
"message": "Alert marked as read"
|
||||
}
|
||||
|
||||
except HTTPException:
|
||||
raise
|
||||
except Exception as e:
|
||||
logger.error(f"Error marking alert as read: {e}")
|
||||
raise HTTPException(status_code=500, detail=str(e))
|
||||
|
||||
Reference in New Issue
Block a user