From 3c0644357b4a0a83cf3efceb4f48829db87a8e47 Mon Sep 17 00:00:00 2001
From: esensar <esarajcic1@etf.unsa.ba>
Date: Sat, 6 Oct 2018 14:18:04 +0200
Subject: [PATCH] Add list of possible permissions

---
 app/api/permission_protection.py | 13 +++++++++++++
 app/api/resources/account.py     | 10 ++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/app/api/permission_protection.py b/app/api/permission_protection.py
index 66d3207..220e9e2 100644
--- a/app/api/permission_protection.py
+++ b/app/api/permission_protection.py
@@ -3,7 +3,20 @@ from flask_restful import abort
 from functools import wraps
 
 
+valid_permissions = [
+        'CREATE_DEVICE_TYPE',
+        'CREATE_ROLE',
+        'ASSIGN_ROLE',
+        'CREATE_DEVICE',
+        'CREATE_DASHBOARD',
+        'READ_DEVICE_TYPES',
+        'READ_ROLES']
+
+
 def requires_permission(permission, action_name='Action'):
+    if permission not in valid_permissions:
+        raise ValueError('Permission ' + str(permission) + ' does not exist!')
+
     def requires_permission_decorator(func):
         @wraps(func)
         def permission_protected_function(*args, **kwargs):
diff --git a/app/api/resources/account.py b/app/api/resources/account.py
index 828774e..9868f47 100644
--- a/app/api/resources/account.py
+++ b/app/api/resources/account.py
@@ -5,7 +5,8 @@ from webargs.flaskparser import use_args
 from flasgger import swag_from
 import app.accounts.api as accounts
 from app.api.auth_protection import ProtectedResource
-from app.api.permission_protection import requires_permission
+from app.api.permission_protection import (requires_permission,
+                                           valid_permissions)
 
 
 class UserSchema(Schema):
@@ -18,11 +19,16 @@ class RoleUpdateSchema(Schema):
     role_id = fields.Integer(required=True, load_only=True, location='json')
 
 
+def validate_role_permissions(permissions_list):
+    return set(permissions_list).issubset(valid_permissions)
+
+
 class RoleSchema(Schema):
     id = fields.Integer(required=True, location='json')
     display_name = fields.String(required=True, location='json')
     permissions = fields.List(fields.String, required=True,
-                              location='json', many=True)
+                              location='json', many=True,
+                              validate=validate_role_permissions)
 
 
 class RoleWrapperSchema(Schema):