api: Require authentication to close reports

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/dbl/api/reports.py b/src/dbl/api/reports.py
index 345250dfc5bc7ded5b3d8b385e37f57ae115372c..08c0d80b3329a5395e29ad73993000bcf79570f9 100644 (file)
--- a/src/dbl/api/reports.py
+++ b/src/dbl/api/reports.py
@@ -45,6 +45,11 @@ class CreateReport(pydantic.BaseModel):
        block: bool = True
 
 
+class CloseReport(pydantic.BaseModel):
+       # Accept?
+       accept: bool = True
+
+
 # Create a router
 router = fastapi.APIRouter(
        prefix="/reports",
@@ -90,20 +95,14 @@ async def create_report(
 async def get_report(report = fastapi.Depends(get_report_from_path)) -> reports.Report:
        return report
 
-class CloseReport(pydantic.BaseModel):
-       # Closed By
-       closed_by: str
-
-       # Accept?
-       accept: bool = True
-
 @router.post("/{id}/close")
 async def close_report(
                data: CloseReport,
                report: reports.Report = fastapi.Depends(get_report_from_path),
+               user: users.User = fastapi.Depends(require_current_user),
 ) -> fastapi.Response:
        await report.close(
-               closed_by = data.closed_by,
+               closed_by = user,
                accept    = data.accept,
        )
 

diff --git a/src/dbl/reports.py b/src/dbl/reports.py
index 18fc9ceac73d778bd0c04a4c4250a40232e0da2a..eccec49de6185c0cd1d9980b586583015e88e4ae 100644 (file)
--- a/src/dbl/reports.py
+++ b/src/dbl/reports.py
@@ -252,6 +252,10 @@ class Report(sqlmodel.SQLModel, database.BackendMixin, table=True):
 
                # XXX Check for permissions
 
+               # Only the the user ID in the database
+               if isinstance(closed_by, users.User):
+                       closed_by = closed_by.uid
+
                # Mark this report as closed
                self.closed_at = sqlmodel.func.current_timestamp()
                self.closed_by = closed_by