diff --git a/app/api/permission_protection.py b/app/api/permission_protection.py index 66d3207..220e9e2 100644 --- a/app/api/permission_protection.py +++ b/app/api/permission_protection.py @@ -3,7 +3,20 @@ from flask_restful import abort from functools import wraps +valid_permissions = [ + 'CREATE_DEVICE_TYPE', + 'CREATE_ROLE', + 'ASSIGN_ROLE', + 'CREATE_DEVICE', + 'CREATE_DASHBOARD', + 'READ_DEVICE_TYPES', + 'READ_ROLES'] + + def requires_permission(permission, action_name='Action'): + if permission not in valid_permissions: + raise ValueError('Permission ' + str(permission) + ' does not exist!') + def requires_permission_decorator(func): @wraps(func) def permission_protected_function(*args, **kwargs): diff --git a/app/api/resources/account.py b/app/api/resources/account.py index 828774e..9868f47 100644 --- a/app/api/resources/account.py +++ b/app/api/resources/account.py @@ -5,7 +5,8 @@ from webargs.flaskparser import use_args from flasgger import swag_from import app.accounts.api as accounts from app.api.auth_protection import ProtectedResource -from app.api.permission_protection import requires_permission +from app.api.permission_protection import (requires_permission, + valid_permissions) class UserSchema(Schema): @@ -18,11 +19,16 @@ class RoleUpdateSchema(Schema): role_id = fields.Integer(required=True, load_only=True, location='json') +def validate_role_permissions(permissions_list): + return set(permissions_list).issubset(valid_permissions) + + class RoleSchema(Schema): id = fields.Integer(required=True, location='json') display_name = fields.String(required=True, location='json') permissions = fields.List(fields.String, required=True, - location='json', many=True) + location='json', many=True, + validate=validate_role_permissions) class RoleWrapperSchema(Schema):