api: properly compute authorization based on ccchh role

2026-05-14 16:41:16 +02:00 · 2026-05-14 16:41:16 +02:00 · bf0c085739
commit bf0c085739
parent 188002b3f3
3 changed files with 10 additions and 8 deletions
--- a/api/src/dooris_api/app.py
+++ b/api/src/dooris_api/app.py
@ -71,6 +71,7 @@ async def get_user_info(
            current_user.id_token.exp, UTC
        ),
        username=current_user.id_token.preferred_username,
+        ccchh_roles=current_user.ccchh_roles,
    )


@ -117,7 +118,7 @@ async def login_init(
    response_class=RedirectResponse,
    status_code=302,
 )
-async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidClient):
+async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidClient) -> str:
    # check that the user is currently in an authenticating state
    # these cookies are set by the login_init() view
    if (
@ -167,7 +168,7 @@ async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidC
 )
 async def logout(
    resp: Response, oidc_client: deps.OpenidClient, current_user: deps.CurrentUser
-):
+) -> str:
    deps.clear_auth_state(resp)
    return oidc_client.initiate_logout(
        RpInitiatedLogoutRequest(
@ -253,7 +254,7 @@ async def operate_lock(
 ) -> None:
    if not current_user.may_operate_locks:
        raise exceptions.HttpProblemException.forbidden_to_operate(req.url)
-    # TODO: Validate that the user is authorized
+
    # find appropriate lock from ccujack
    for i_lock, lock_channels in ccujack.locks:
        if i_lock.identifier == lock_id: