added permission checks to user and recorder API

backend/auth/utils.py

@@ -2,6 +2,8 @@ import flask_jwt_extended
 from flask_jwt_extended import jwt_optional, get_jwt_identity
 from functools import wraps
 
+from flask_restx import abort
+
 from backend import jwt_auth
 from backend.models.user_model import User
 
@@ -10,26 +12,16 @@ def requires_permission_level(permission_level):
     def decorator(f):
         @wraps(f)
         def decorated_function(*args, **kwargs):
-            if flask_jwt_extended.verify_jwt_in_request():
-                current_user_id = get_jwt_identity()
-                user = User.get_by_identifier(current_user_id)
-                if user is not None:
-                    if user.has_permission(permission_level):
-                    #for g in user.groups:
-                    #    if g.permissions
-                        #TODO
-                        pass
-                    else:
-                        pass
-                        # return FALSE
-            #if not session.get('email'):
-            #    return redirect(url_for('users.login'))
-
-            #user = User.find_by_email(session['email'])
-            #elif not user.allowed(access_level):
-            #    return redirect(url_for('users.profile', message="You do not have access to that page. Sorry!"))
+            # if flask_jwt_extended.verify_jwt_in_request():
+            current_user_id = get_jwt_identity()
+            user = User.get_by_identifier(current_user_id)
+            if user is not None:
+                if not user.has_permission(permission_level):
+                    abort(401, f"You are missing the permission: {permission_level}")
             return f(*args, **kwargs)
+
         return decorated_function
+
     return decorator
 
 
@@ -38,5 +30,7 @@ def require_jwt():
         @wraps(f)
         def decorated_function(*args, **kwargs):
             return jwt_auth.login_required(jwt_optional(f(*args, **kwargs)))
+
         return decorated_function
+
     return decorator