From: Michael Tremer Date: Mon, 2 Mar 2026 18:32:44 +0000 (+0000) Subject: api: Require authentication to close reports X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5eb3958a167a76883f2284bfa0bfbf8a37eac65a;p=dbl.git api: Require authentication to close reports Signed-off-by: Michael Tremer --- diff --git a/src/dbl/api/reports.py b/src/dbl/api/reports.py index 345250d..08c0d80 100644 --- a/src/dbl/api/reports.py +++ b/src/dbl/api/reports.py @@ -45,6 +45,11 @@ class CreateReport(pydantic.BaseModel): block: bool = True +class CloseReport(pydantic.BaseModel): + # Accept? + accept: bool = True + + # Create a router router = fastapi.APIRouter( prefix="/reports", @@ -90,20 +95,14 @@ async def create_report( async def get_report(report = fastapi.Depends(get_report_from_path)) -> reports.Report: return report -class CloseReport(pydantic.BaseModel): - # Closed By - closed_by: str - - # Accept? - accept: bool = True - @router.post("/{id}/close") async def close_report( data: CloseReport, report: reports.Report = fastapi.Depends(get_report_from_path), + user: users.User = fastapi.Depends(require_current_user), ) -> fastapi.Response: await report.close( - closed_by = data.closed_by, + closed_by = user, accept = data.accept, ) diff --git a/src/dbl/reports.py b/src/dbl/reports.py index 18fc9ce..eccec49 100644 --- a/src/dbl/reports.py +++ b/src/dbl/reports.py @@ -252,6 +252,10 @@ class Report(sqlmodel.SQLModel, database.BackendMixin, table=True): # XXX Check for permissions + # Only the the user ID in the database + if isinstance(closed_by, users.User): + closed_by = closed_by.uid + # Mark this report as closed self.closed_at = sqlmodel.func.current_timestamp() self.closed_by = closed_by