From 44d6eb8570090544620ac6bd174f3f249f47190d Mon Sep 17 00:00:00 2001
From: Terrtia <or1994@hotmail.fr>
Date: Thu, 11 Jul 2019 13:58:15 +0200
Subject: [PATCH] chg: [rest API] access: check token user role

---
 var/www/modules/restApi/Flask_restApi.py | 48 +++++++++++++++++-------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/var/www/modules/restApi/Flask_restApi.py b/var/www/modules/restApi/Flask_restApi.py
index 4535da28..f73434de 100644
--- a/var/www/modules/restApi/Flask_restApi.py
+++ b/var/www/modules/restApi/Flask_restApi.py
@@ -36,7 +36,7 @@ def check_token_format(strg, search=re.compile(r'[^a-zA-Z0-9_-]').search):
     return not bool(search(strg))
 
 def verify_token(token):
-    if len(token) != 55:
+    if len(token) != 41:
         return False
 
     if not check_token_format(token):
@@ -47,23 +47,41 @@ def verify_token(token):
     else:
         return False
 
+def verify_user_role(role, token):
+    user_id = r_serv_db.hget('user:tokens', token)
+    if user_id:
+        if is_in_role(user_id, role):
+            return True
+        else:
+            return False
+    else:
+        return False
+
+def is_in_role(user_id, role):
+    if r_serv_db.sismember('user_role:{}'.format(role), user_id):
+        return True
+    else:
+        return False
+
 # ============ DECORATOR ============
 
-def token_required(funct):
-    @wraps(funct)
-    def api_token(*args, **kwargs):
-        data = authErrors()
-        if data:
-            return Response(json.dumps(data[0], indent=2, sort_keys=True), mimetype='application/json'), data[1]
-        else:
-            return funct(*args, **kwargs)
-    return api_token
+def token_required(user_role):
+    def actual_decorator(funct):
+        @wraps(funct)
+        def api_token(*args, **kwargs):
+            data = authErrors(user_role)
+            if data:
+                return Response(json.dumps(data[0], indent=2, sort_keys=True), mimetype='application/json'), data[1]
+            else:
+                return funct(*args, **kwargs)
+        return api_token
+    return actual_decorator
 
 def get_auth_from_header():
     token = request.headers.get('Authorization').replace(' ', '') # remove space
     return token
 
-def authErrors():
+def authErrors(user_role):
     # Check auth
     if not request.headers.get('Authorization'):
         return ({'status': 'error', 'reason': 'Authentication needed'}, 401)
@@ -76,6 +94,10 @@ def authErrors():
         if verify_token(token):
             authenticated = True
 
+            # check user role
+            if not verify_user_role(user_role, token):
+                data = ({'status': 'error', 'reason': 'Access Forbidden'}, 403)
+
         if not authenticated:
             data = ({'status': 'error', 'reason': 'Authentication failed'}, 401)
     except Exception as e:
@@ -98,8 +120,8 @@ def one():
 # def api():
 #     return 'api doc'
 
-@restApi.route("api/items", methods=['POST'])
-@token_required
+@restApi.route("api/items", methods=['GET', 'POST'])
+@token_required('admin')
 def items():
     item = request.args.get('id')