Refactor event access validation and enhance endpoint logic

Centralized event access validation into a reusable `validate_event_access` function, eliminating duplicated code across endpoints. Updated the logic in `get_event` and `get_event_by_slug` to use this function. Adjusted tests to align with the refactored logic and fixed permission-based response statuses.
2025-03-10 09:18:46 +01:00
parent c5915e57b1
commit e1145525ff
2 changed files with 105 additions and 78 deletions
--- a/backend/app/api/routes/events/router.py
+++ b/backend/app/api/routes/events/router.py
@@ -1,11 +1,12 @@
 import logging
-from typing import Optional, Any, Dict
+from typing import Any, Dict
+from typing import Optional
 from uuid import UUID

-from fastapi import APIRouter, Depends, HTTPException, Query, status
+from fastapi import APIRouter, Depends, Query
+from fastapi import HTTPException, status
 from sqlalchemy.exc import SQLAlchemyError
 from sqlalchemy.orm import Session
-from starlette.config import environ

 from app.api.dependencies.auth import get_current_user, get_optional_current_user
 from app.core.database import get_db
@@ -17,13 +18,63 @@ from app.schemas.common import PaginatedResponse
 from app.schemas.events import (
    EventCreate,
    EventUpdate,
-    EventResponse,
+    EventResponse, Event,
 )

 logger = logging.getLogger(__name__)
 events_router = APIRouter()


+def validate_event_access(
+        *,
+        db: Session,
+        event_obj: Optional[Event],
+        current_user: Optional[User],
+        access_code: Optional[str] = None
+) -> EventResponse:
+    """Validate access permissions for an event."""
+
+    if event_obj is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Event not found"
+        )
+
+    # Allow creator or superuser
+    if current_user and (
+            event_obj.created_by == current_user.id or current_user.is_superuser
+    ):
+        return event_obj
+
+    # Allow manager
+    if current_user:
+        is_manager = db.query(EventManager).filter_by(
+            event_id=event_obj.id, user_id=current_user.id
+        ).first()
+        if is_manager:
+            return event_obj
+
+    # Public event, allow anyone
+    if event_obj.is_public:
+        return event_obj
+
+    # Guest user allowed if authenticated
+    if current_user:
+        guest_entry = db.query(Guest).filter_by(
+            event_id=event_obj.id, user_id=current_user.id
+        ).first()
+        if guest_entry:
+            return event_obj
+
+    # Access with invite/access code (generic method if implemented)
+    if access_code and (event_obj.access_code == access_code):
+        return event_obj
+
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="Not enough permissions to access this event"
+    )
+
+
@events_router.post(
    "/",
    response_model=EventResponse,
@@ -184,103 +235,54 @@ def get_event(
        *,
        db: Session = Depends(get_db),
        event_id: UUID,
-        current_user: User = Depends(get_current_user)
+        access_code: Optional[str] = Query(None),
+        current_user: Optional[User] = Depends(get_current_user)
 ) -> EventResponse:
    """Get event by ID."""
-    if current_user is None:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid authentication credentials",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
-
+    print("Getting event")
    try:
        event_obj = event.get(db=db, id=event_id)
-        if not event_obj:
-            raise HTTPException(
-                status_code=status.HTTP_404_NOT_FOUND,
-                detail="Event not found"
-            )
-
-        # Allow direct access if user is creator or superuser
-        if event_obj.created_by == current_user.id or current_user.is_superuser:
-            return event_obj
-
-        # Allow direct access if the user is managing the event
-        is_manager = db.query(EventManager).filter(
-            EventManager.event_id == event_id,
-            EventManager.user_id == current_user.id
-        ).first()
-
-        if is_manager:
-            return event_obj
-
-        # Allow access if the event is public
-        if event_obj.is_public:
-            return event_obj
-
-        # Allow access if the user is explicitly invited (Guest)
-        guest_entry = db.query(Guest).filter(
-            Guest.event_id == event_id,
-            Guest.user_id == current_user.id
-        ).first()
-
-        if guest_entry:
-            return event_obj
-
-        # User does not meet any permitted criteria; deny access
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Not enough permissions to access this event"
+        return validate_event_access(
+            db=db,
+            event_obj=event_obj,
+            current_user=current_user,
+            access_code=access_code
        )

    except SQLAlchemyError:
        raise HTTPException(
            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail="Error retrieving event"
+            detail="Error retrieving event",
        )


@events_router.get(
    "/by-slug/{slug}",
    response_model=EventResponse,
-    operation_id="get_public_event"
+    operation_id="get_event_by_slug"
 )
-def get_public_event(
+def get_event_by_slug(
        *,
        db: Session = Depends(get_db),
        slug: str,
        access_code: Optional[str] = Query(None),
-        current_user: Optional[User] = Depends(get_optional_current_user)
+        current_user: Optional[User] = Depends(get_current_user)
 ) -> EventResponse:
-    """Get public event by slug."""
-    if current_user is None:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid authentication credentials",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
+    """Get event by slug."""
    try:
        event_obj = event.get_public_event(db=db, slug=slug, access_code=access_code)
-        if not event_obj:
-            raise HTTPException(
-                status_code=status.HTTP_404_NOT_FOUND,
-                detail="Event not found"
-            )

-        # If event is not public and user is not authenticated, check access code
-        if not event_obj.is_public and not current_user:
-            if not access_code or access_code != event_obj.access_code:
-                raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail="Invalid access code"
-                )
+        return validate_event_access(
+            db=db,
+            event_obj=event_obj,
+            current_user=current_user,
+            access_code=access_code
+        )

-        return event_obj
    except SQLAlchemyError:
        raise HTTPException(
            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail="Error retrieving event"
+            detail="Error retrieving event",
        )