weefnn/full-stack-fastapi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🐛Update items.py to return status code 403 in case of insufficient permissions (#1543)

Browse Source
This commit is contained in:
Joel Pérez Izquierdo
2026-01-22 13:46:35 +01:00
committed by GitHub
parent a45258f520
commit 9fe3a4d221
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/app/api/routes/items.py
View File

@@ -50,7 +50,7 @@ def read_item(session: SessionDep, current_user: CurrentUser, id: uuid.UUID) ->
if not item: if not item:
raise HTTPException(status_code=404, detail="Item not found") raise HTTPException(status_code=404, detail="Item not found")
if not current_user.is_superuser and (item.owner_id != current_user.id): if not current_user.is_superuser and (item.owner_id != current_user.id):
raise HTTPException(status_code=400, detail="Not enough permissions") raise HTTPException(status_code=403, detail="Not enough permissions")
return item return item
@@ -83,7 +83,7 @@ def update_item(
if not item: if not item:
raise HTTPException(status_code=404, detail="Item not found") raise HTTPException(status_code=404, detail="Item not found")
if not current_user.is_superuser and (item.owner_id != current_user.id): if not current_user.is_superuser and (item.owner_id != current_user.id):
raise HTTPException(status_code=400, detail="Not enough permissions") raise HTTPException(status_code=403, detail="Not enough permissions")
update_dict = item_in.model_dump(exclude_unset=True) update_dict = item_in.model_dump(exclude_unset=True)
item.sqlmodel_update(update_dict) item.sqlmodel_update(update_dict)
session.add(item) session.add(item)
@@ -103,7 +103,7 @@ def delete_item(
if not item: if not item:
raise HTTPException(status_code=404, detail="Item not found") raise HTTPException(status_code=404, detail="Item not found")
if not current_user.is_superuser and (item.owner_id != current_user.id): if not current_user.is_superuser and (item.owner_id != current_user.id):
raise HTTPException(status_code=400, detail="Not enough permissions") raise HTTPException(status_code=403, detail="Not enough permissions")
session.delete(item) session.delete(item)
session.commit() session.commit()
return Message(message="Item deleted successfully") return Message(message="Item deleted successfully")

6
backend/tests/api/routes/test_items.py
View File

@@ -60,7 +60,7 @@ def test_read_item_not_enough_permissions(
f"{settings.API_V1_STR}/items/{item.id}", f"{settings.API_V1_STR}/items/{item.id}",
headers=normal_user_token_headers, headers=normal_user_token_headers,
) )
assert response.status_code == 400 assert response.status_code == 403
content = response.json() content = response.json()
assert content["detail"] == "Not enough permissions" assert content["detail"] == "Not enough permissions"
@@ -121,7 +121,7 @@ def test_update_item_not_enough_permissions(
headers=normal_user_token_headers, headers=normal_user_token_headers,
json=data, json=data,
) )
assert response.status_code == 400 assert response.status_code == 403
content = response.json() content = response.json()
assert content["detail"] == "Not enough permissions" assert content["detail"] == "Not enough permissions"
@@ -159,6 +159,6 @@ def test_delete_item_not_enough_permissions(
f"{settings.API_V1_STR}/items/{item.id}", f"{settings.API_V1_STR}/items/{item.id}",
headers=normal_user_token_headers, headers=normal_user_token_headers,
) )
assert response.status_code == 400 assert response.status_code == 403
content = response.json() content = response.json()
assert content["detail"] == "Not enough permissions" assert content["detail"] == "Not enough permissions"