github-starred/flowsint
2
0
Fork 0
mirror of https://github.com/reconurge/flowsint.git synced 2026-05-04 02:38:14 -05:00
Code Issues 264 Packages Projects Releases 11 Wiki Activity

fix(api): patch missing permissions on api routes

Browse Source
This commit is contained in:
dextmorgn
2025-12-17 10:16:54 +01:00
parent 0577080b4e
commit a15ce33df4
7 changed files with 145 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
flowsint-api/app/api/routes/analysis.py
View File

@@ -3,9 +3,11 @@ from app.security.permissions import check_investigation_permission
from fastapi import APIRouter, HTTPException, Depends, status
from typing import List
from datetime import datetime
from sqlalchemy import or_
from sqlalchemy.orm import Session
from flowsint_core.core.postgre_db import get_db
from flowsint_core.core.models import Analysis, Profile
from flowsint_core.core.models import Analysis, Profile, InvestigationUserRole
from flowsint_core.core.types import Role
from app.api.deps import get_current_user
from app.api.schemas.analysis import AnalysisRead, AnalysisCreate, AnalysisUpdate
@@ -17,8 +19,21 @@ router = APIRouter()
def get_analyses(
db: Session = Depends(get_db), current_user: Profile = Depends(get_current_user)
):
analyses = db.query(Analysis).filter(Analysis.owner_id == current_user.id).all()
return analyses
# Get all analyses from investigations where user has at least VIEWER role
allowed_roles_for_read = [Role.OWNER, Role.EDITOR, Role.VIEWER]
query = db.query(Analysis).join(
InvestigationUserRole,
InvestigationUserRole.investigation_id == Analysis.investigation_id,
)
query = query.filter(InvestigationUserRole.user_id == current_user.id)
# Filter by allowed roles
conditions = [InvestigationUserRole.roles.any(role) for role in allowed_roles_for_read]
query = query.filter(or_(*conditions))
return query.distinct().all()
# Create a New analysis