feat: add admin only decorator

example.env

@@ -3,6 +3,5 @@ SESSION_KEY=averyrandomandsecretivekey
 ACME_EMAIL=administrator@email.com # used to register the ssl certificate for https
 ADMIN_PROD_USERNAME=adminusername
 ADMIN_PROD_PWD=adminpassword
-ADMIN_PROD_ROLES=["USER","ADMIN"]
 IMGBB_API_KEY=imgbbapikey # api-key from https://api.imgbb.com/
 GEMINI_API_KEY=mygeminiapikey

flask_backend/routes/auth.py

@@ -16,6 +16,7 @@
 from werkzeug.security import check_password_hash, generate_password_hash
 
 from flask_backend.repository import users as users_repository
+from flask_backend.utils.enums.role import RoleEnum
 
 bp = Blueprint("auth", __name__, url_prefix="/auth")
 
@@ -83,6 +84,11 @@ def logout():
     return redirect(url_for("screening.index"))
 
 
+@bp.route("/forbidden")
+def forbidden():
+    return render_template("auth/forbidden.html")
+
+
 @bp.before_app_request
 def load_logged_in_user():
     user_id = session.get("user_id")
@@ -102,3 +108,15 @@ def wrapped_view(**kwargs):
         return view(**kwargs)
 
     return wrapped_view
+
+
+def admin_only(view):
+    @functools.wraps(view)
+    def wrapped_view(**kwargs):
+        if RoleEnum.ADMIN.role not in [role.role for role in g.user.roles]:
+            if request.method == "POST":
+                abort(403)
+            return redirect(url_for("auth.forbidden"))
+        return view(**kwargs)
+
+    return wrapped_view

flask_backend/routes/screening.py

@@ -35,15 +35,14 @@
     update as update_screening,
     update_screening_dates,
 )
-from flask_backend.routes.auth import login_required
+from flask_backend.routes.auth import admin_only, login_required
 from flask_backend.service.gemini_api import Gemini
 from flask_backend.service.screening import (
     build_dates,
     import_scrapped_results,
     save_image,
     validate_image,
 )
-from flask_backend.utils.enums.role import RoleEnum
 from scrapers.capitolio import Capitolio
 from scrapers.cinebancarios import CineBancarios
 from scrapers.paulo_amorim import CinematecaPauloAmorim
@@ -118,6 +117,7 @@ def upload(filename):
 
 @bp.route("/screening/new", methods=("GET", "POST"))
 @login_required
+@admin_only
 def create():
     screening_dates = []
     if request.method == "POST":
@@ -191,19 +191,14 @@ def create():
         except ValueError:
             pass
 
-    if RoleEnum.ADMIN.role in [role.role for role in g.user.roles]:
-        return render_template(
-            "screening/create.html",
-            cinemas=cinemas,
-            current_date=current_date,
-            received_dates=valid_dates,
-            max_year=max_year,
-            max_file_size=current_app.config["MAX_CONTENT_LENGTH"],
-        )
-    else:
-        return render_template(
-            "auth/forbidden.html",
-        )
+    return render_template(
+        "screening/create.html",
+        cinemas=cinemas,
+        current_date=current_date,
+        received_dates=valid_dates,
+        max_year=max_year,
+        max_file_size=current_app.config["MAX_CONTENT_LENGTH"],
+    )
 
 
 @bp.route("/screening/<int:id>/publish", methods=("POST",))
@@ -382,6 +377,7 @@ def runScrap():
 
 @bp.route("/screening/import", methods=("GET", "POST"))
 @login_required
+@admin_only
 def import_screenings():
     suggestions = []
     if request.method == "POST":
@@ -420,12 +416,7 @@ def import_screenings():
 
         flash(f"«{created_features}» sessões criadas com sucesso!", "success")
 
-    if RoleEnum.ADMIN.role in [role.role for role in g.user.roles]:
-        return render_template("screening/import.html", suggestions=suggestions)
-    else:
-        return render_template(
-            "auth/forbidden.html",
-        )
+    return render_template("screening/import.html", suggestions=suggestions)
 
 
 @bp.route("/screening/image/describe", methods=("POST",))