@@ -96,10 +96,14 @@ def sync_ldap():
9696
9797@app .route ('/api/v1/packets/<username>' , methods = ['GET' ])
9898@packet_auth
99- def get_packets_by_user (username : str ) -> dict :
99+ @before_request
100+ def get_packets_by_user (username : str , info = None ) -> dict :
100101 """
101102 Return a dictionary of packets for a freshman by username, giving packet start and end date by packet id
102103 """
104+
105+ if info ['ritdn' ] != username :
106+ return 'Forbidden - not your packet' , 403
103107 frosh = Freshman .by_username (username )
104108
105109 return {packet .id : {
@@ -110,10 +114,15 @@ def get_packets_by_user(username: str) -> dict:
110114
111115@app .route ('/api/v1/packets/<username>/newest' , methods = ['GET' ])
112116@packet_auth
113- def get_newest_packet_by_user (username : str ) -> dict :
117+ @before_request
118+ def get_newest_packet_by_user (username : str , info = None ) -> dict :
114119 """
115120 Return a user's newest packet
116121 """
122+
123+ if not info ['is_upper' ] and info ['ritdn' ] != username :
124+ return 'Forbidden - not your packet' , 403
125+
117126 frosh = Freshman .by_username (username )
118127
119128 packet = frosh .packets [- 1 ]
@@ -130,13 +139,17 @@ def get_newest_packet_by_user(username: str) -> dict:
130139
131140@app .route ('/api/v1/packet/<packet_id>' , methods = ['GET' ])
132141@packet_auth
133- def get_packet_by_id (packet_id : int ) -> dict :
142+ @before_request
143+ def get_packet_by_id (packet_id : int , info = None ) -> dict :
134144 """
135145 Return the scores of the packet in question
136146 """
137147
138148 packet = Packet .by_id (packet_id )
139149
150+ if not info ['is_upper' ] and info ['ritdn' ] != packet .freshman .rit_username :
151+ return 'Forbidden - not your packet' , 403
152+
140153 return {
141154 'required' : vars (packet .signatures_required ()),
142155 'received' : vars (packet .signatures_received ()),
@@ -198,13 +211,20 @@ def report(info):
198211
199212@app .route ('/api/v1/stats/packet/<packet_id>' )
200213@packet_auth
201- def packet_stats (packet_id ):
214+ @before_request
215+ def packet_stats (packet_id , info = None ):
216+ if not info ['is_upper' ] and info ['ritdn' ] != Packet .by_id (packet_id ).freshman .rit_username :
217+ return 'Forbidden - not your packet' , 403
202218 return stats .packet_stats (packet_id )
203219
204220
205221@app .route ('/api/v1/stats/upperclassman/<uid>' )
206222@packet_auth
207- def upperclassman_stats (uid ):
223+ @before_request
224+ def upperclassman_stats (uid , info = None ):
225+ if not info ['is_upper' ]:
226+ return 'Forbidden' , 403
227+
208228 return stats .upperclassman_stats (uid )
209229
210230
0 commit comments