diff --git a/app.py b/app.py index 8fb2a4c..d829441 100644 --- a/app.py +++ b/app.py @@ -212,6 +212,7 @@ class PathogenList(Resource): ### GET /pathogens ### @pathogen_ns.doc('list_pathogens') + @require_auth(keycloak_auth) def get(self): """List all pathogens (public access) @@ -300,6 +301,7 @@ class Pathogen(Resource): ### GET /pathogens/ ### @pathogen_ns.doc('get_pathogen') + @require_auth(keycloak_auth) def get(self, pathogen_id): """Get details of a specific pathogen by ID (public access)""" @@ -513,6 +515,7 @@ class SchemaList(Resource): ### GET /schemas ### @schema_ns.doc('list_schemas') + @require_auth(keycloak_auth) def get(self): """List all available schemas (public access)""" @@ -607,6 +610,7 @@ class Schema(Resource): ### GET /schemas/ ### @schema_ns.doc('get_schema') + @require_auth(keycloak_auth) def get(self, schema_id): """Get schema details by ID (public access)""" @@ -863,6 +867,7 @@ class RefreshToken(Resource): ### POST /users/refresh-token ### @api.doc('refresh_access_token') + @require_auth(keycloak_auth) def post(self): try: data = request.get_json() @@ -964,6 +969,7 @@ class Organisation(Resource): ### GET /organisations/ ### @organisation_ns.doc('get_organisation') + @require_auth(keycloak_auth) def get(self, org_id): """Get organisation details by ID""" @@ -1255,6 +1261,7 @@ class ProjectList(Resource): ### GET /projects ### @api.doc('list_projects') + @require_auth(keycloak_auth) def get(self): """List projects based on user permissions with filtering and pagination @@ -1445,16 +1452,18 @@ class Project(Resource): ### GET /projects/ ### @api.doc('get_project') + @require_auth(keycloak_auth) def get(self, project_id): """Get single project details based on user permissions""" + user_info = extract_user_info(request.user) organisation_id = keycloak_auth.get_user_org() try: with get_db_cursor() as cursor: - if organisation_id is not None: + if organisation_id is not None and user_info["roles"][0] != "agari-org-partial": cursor.execute(""" SELECT * FROM projects @@ -3246,6 +3255,7 @@ class ProjectInviteStatus(Resource): ### GET /invites/project/ ### @api.doc('get_project_invites') + @require_auth(keycloak_auth) def get(self, project_id): users = keycloak_auth.get_users_by_attribute('invite_project_id', project_id) user_invites = extract_invite_roles(users, "") @@ -3255,6 +3265,7 @@ def get(self, project_id): ### DELETE /invites/project/ ### @api.doc('delete_project_invite') + @require_auth(keycloak_auth) def delete(self, project_id): user = keycloak_auth.get_users_by_attribute('invite_project_id', project_id)[0] user_id = user["user_id"] @@ -3282,6 +3293,7 @@ class OrgInviteStatus(Resource): ### GET /invites/organisation/ ### @api.doc('get_project_invites') + @require_auth(keycloak_auth) def get(self, org_id): users = keycloak_auth.get_users_by_attribute('invite_org_id', org_id) user_invites = extract_invite_roles(users, "org_") @@ -3291,6 +3303,7 @@ def get(self, org_id): ### DELETE /invites/organisation/ ### @api.doc('delete_organisation_invite') + @require_auth(keycloak_auth) def delete(self, org_id): user = keycloak_auth.get_users_by_attribute('invite_org_id', org_id)[0] user_id = user["user_id"]