From aab1bc6daef2dfcd008773d0c8071cf4e78a64fc Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 16 Jun 2025 17:35:01 +0000
Subject: [PATCH] API: Consolidate code to fetch uploads and check permissions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/api/uploads.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/api/uploads.py b/src/api/uploads.py
index fe1273fb..dc97fc13 100644
--- a/src/api/uploads.py
+++ b/src/api/uploads.py
@@ -38,15 +38,27 @@ router = fastapi.APIRouter(
 	],
 )
 
-@router.get("/{id}")
-async def get(id: uuid.UUID) -> uploads.Upload:
+async def get_upload(id: uuid.UUID,
+		current_principal = fastapi.Depends(auth.get_current_principal)) -> uploads.Upload:
+	"""
+		Automatically fetches an upload object
+	"""
 	upload = await backend.uploads.get_by_uuid(id)
 
 	# Raise 404 if the upload could not be found
 	if not upload:
 		raise fastapi.HTTPException(404, "Upload not found")
 
+	# Check if the logged in principal has permissions to access this upload
+	if not upload.has_perm(current_principal):
+		raise fastapi.HTTPException(403, "Access Denied")
+
+	return upload
+
+@router.get("/{id}")
+async def get(upload: uploads.Upload = fastapi.Depends(get_upload)) -> uploads.Upload:
 	return upload
 
+
 # Add everything to the app
 app.include_router(router)
-- 
2.47.2