Skip to content
Snippets Groups Projects
Commit b2443a2c authored by ilona's avatar ilona Committed by Iziram
Browse files

API: code http 403 et non 401 si permission non accordée.

parent 0df77b20
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
app/api/justificatifs.py
+ 1
1
View file @ b2443a2c
...@@ -765,7 +765,7 @@ def justif_export(justif_id: int | None = None, filename: str | None = None): ...@@ -765,7 +765,7 @@ def justif_export(justif_id: int | None = None, filename: str | None = None):
current_user.has_permission(Permission.AbsJustifView) current_user.has_permission(Permission.AbsJustifView)
or justificatif_unique.user_id == current_user.id or justificatif_unique.user_id == current_user.id
): ):
return json_error(401, "non autorisé à voir ce fichier") return json_error(403, "non autorisé à voir ce fichier")
# On récupère l'archive concernée # On récupère l'archive concernée
archive_name: str = justificatif_unique.fichier archive_name: str = justificatif_unique.fichier
......
app/api/partitions.py
+ 12
12
View file @ b2443a2c
...@@ -169,7 +169,7 @@ def group_set_etudiant(group_id: int, etudid: int): ...@@ -169,7 +169,7 @@ def group_set_etudiant(group_id: int, etudid: int):
if not group.partition.formsemestre.etat: if not group.partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not group.partition.formsemestre.can_change_groups(): if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
if etud.id not in {e.id for e in group.partition.formsemestre.etuds}: if etud.id not in {e.id for e in group.partition.formsemestre.etuds}:
return json_error(404, "etud non inscrit au formsemestre du groupe") return json_error(404, "etud non inscrit au formsemestre du groupe")
...@@ -202,7 +202,7 @@ def group_remove_etud(group_id: int, etudid: int): ...@@ -202,7 +202,7 @@ def group_remove_etud(group_id: int, etudid: int):
if not group.partition.formsemestre.etat: if not group.partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not group.partition.formsemestre.can_change_groups(): if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
group.remove_etud(etud) group.remove_etud(etud)
...@@ -232,7 +232,7 @@ def partition_remove_etud(partition_id: int, etudid: int): ...@@ -232,7 +232,7 @@ def partition_remove_etud(partition_id: int, etudid: int):
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups(): if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
db.session.execute( db.session.execute(
sa.text( sa.text(
"""DELETE FROM group_membership """DELETE FROM group_membership
...@@ -289,7 +289,7 @@ def group_create(partition_id: int): # partition-group-create ...@@ -289,7 +289,7 @@ def group_create(partition_id: int): # partition-group-create
if not partition.groups_editable: if not partition.groups_editable:
return json_error(403, "partition non editable") return json_error(403, "partition non editable")
if not partition.formsemestre.can_change_groups(): if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
args = request.get_json(force=True) # may raise 400 Bad Request args = request.get_json(force=True) # may raise 400 Bad Request
group_name = args.get("group_name") group_name = args.get("group_name")
...@@ -337,7 +337,7 @@ def group_delete(group_id: int): ...@@ -337,7 +337,7 @@ def group_delete(group_id: int):
if not group.partition.groups_editable: if not group.partition.groups_editable:
return json_error(403, "partition non editable") return json_error(403, "partition non editable")
if not group.partition.formsemestre.can_change_groups(): if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
formsemestre_id = group.partition.formsemestre_id formsemestre_id = group.partition.formsemestre_id
log(f"deleting {group}") log(f"deleting {group}")
db.session.delete(group) db.session.delete(group)
...@@ -378,7 +378,7 @@ def group_edit(group_id: int): ...@@ -378,7 +378,7 @@ def group_edit(group_id: int):
if not group.partition.groups_editable: if not group.partition.groups_editable:
return json_error(403, "partition non editable") return json_error(403, "partition non editable")
if not group.partition.formsemestre.can_change_groups(): if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
args = request.get_json(force=True) # may raise 400 Bad Request args = request.get_json(force=True) # may raise 400 Bad Request
if "group_name" in args: if "group_name" in args:
...@@ -423,7 +423,7 @@ def group_set_edt_id(group_id: int, edt_id: str): ...@@ -423,7 +423,7 @@ def group_set_edt_id(group_id: int, edt_id: str):
) )
group: GroupDescr = query.first_or_404() group: GroupDescr = query.first_or_404()
if not group.partition.formsemestre.can_change_groups(): if not group.partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
log(f"group_set_edt_id( {group_id}, '{edt_id}' )") log(f"group_set_edt_id( {group_id}, '{edt_id}' )")
group.edt_id = edt_id group.edt_id = edt_id
db.session.add(group) db.session.add(group)
...@@ -461,7 +461,7 @@ def partition_create(formsemestre_id: int): ...@@ -461,7 +461,7 @@ def partition_create(formsemestre_id: int):
if not formsemestre.etat: if not formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not formsemestre.can_change_groups(): if not formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
data = request.get_json(force=True) # may raise 400 Bad Request data = request.get_json(force=True) # may raise 400 Bad Request
partition_name = data.get("partition_name") partition_name = data.get("partition_name")
if partition_name is None: if partition_name is None:
...@@ -523,7 +523,7 @@ def formsemestre_set_partitions_order(formsemestre_id: int): ...@@ -523,7 +523,7 @@ def formsemestre_set_partitions_order(formsemestre_id: int):
if not formsemestre.etat: if not formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not formsemestre.can_change_groups(): if not formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
partition_ids = request.get_json(force=True) # may raise 400 Bad Request partition_ids = request.get_json(force=True) # may raise 400 Bad Request
if not isinstance(partition_ids, list) and not all( if not isinstance(partition_ids, list) and not all(
isinstance(x, int) for x in partition_ids isinstance(x, int) for x in partition_ids
...@@ -569,7 +569,7 @@ def partition_order_groups(partition_id: int): ...@@ -569,7 +569,7 @@ def partition_order_groups(partition_id: int):
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups(): if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
group_ids = request.get_json(force=True) # may raise 400 Bad Request group_ids = request.get_json(force=True) # may raise 400 Bad Request
if not isinstance(group_ids, list) and not all( if not isinstance(group_ids, list) and not all(
isinstance(x, int) for x in group_ids isinstance(x, int) for x in group_ids
...@@ -623,7 +623,7 @@ def partition_edit(partition_id: int): ...@@ -623,7 +623,7 @@ def partition_edit(partition_id: int):
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups(): if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
data = request.get_json(force=True) # may raise 400 Bad Request data = request.get_json(force=True) # may raise 400 Bad Request
modified = False modified = False
partition_name = data.get("partition_name") partition_name = data.get("partition_name")
...@@ -689,7 +689,7 @@ def partition_delete(partition_id: int): ...@@ -689,7 +689,7 @@ def partition_delete(partition_id: int):
if not partition.formsemestre.etat: if not partition.formsemestre.etat:
return json_error(403, "formsemestre verrouillé") return json_error(403, "formsemestre verrouillé")
if not partition.formsemestre.can_change_groups(): if not partition.formsemestre.can_change_groups():
return json_error(401, "opération non autorisée") return json_error(403, "opération non autorisée")
if not partition.partition_name: if not partition.partition_name:
return json_error( return json_error(
API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut" API_CLIENT_ERROR, "ne peut pas supprimer la partition par défaut"
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment