API: Consolidate code to fetch uploads and check permissions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/api/uploads.py b/src/api/uploads.py
index fe1273fbeb355a85d9de7f830cab1885842dfca9..dc97fc13aeb3234cdf80f9f4f2bcd51b224ffec3 100644 (file)
--- a/src/api/uploads.py
+++ b/src/api/uploads.py
@@ -38,15 +38,27 @@ router = fastapi.APIRouter(
        ],
 )
 
-@router.get("/{id}")
-async def get(id: uuid.UUID) -> uploads.Upload:
+async def get_upload(id: uuid.UUID,
+               current_principal = fastapi.Depends(auth.get_current_principal)) -> uploads.Upload:
+       """
+               Automatically fetches an upload object
+       """
        upload = await backend.uploads.get_by_uuid(id)
 
        # Raise 404 if the upload could not be found
        if not upload:
                raise fastapi.HTTPException(404, "Upload not found")
 
+       # Check if the logged in principal has permissions to access this upload
+       if not upload.has_perm(current_principal):
+               raise fastapi.HTTPException(403, "Access Denied")
+
+       return upload
+
+@router.get("/{id}")
+async def get(upload: uploads.Upload = fastapi.Depends(get_upload)) -> uploads.Upload:
        return upload
 
+
 # Add everything to the app
 app.include_router(router)