API - limit access to users for now

- only auth user can access his preference
- only admin can visualize users

fittrackee/users/auth.py

@@ -386,7 +386,7 @@ def get_authenticated_user_profile(
         - invalid token, please log in again
 
     """
-    return {'status': 'success', 'data': auth_user.serialize()}
+    return {'status': 'success', 'data': auth_user.serialize(auth_user)}
 
 
 @auth_blueprint.route('/auth/profile/edit', methods=['POST'])
@@ -540,7 +540,7 @@ def edit_user(auth_user: User) -> Union[Dict, HttpResponse]:
         return {
             'status': 'success',
             'message': 'user profile updated',
-            'data': auth_user.serialize(),
+            'data': auth_user.serialize(auth_user),
         }
 
     # handler errors
@@ -734,7 +734,7 @@ def update_user_account(auth_user: User) -> Union[Dict, HttpResponse]:
         return {
             'status': 'success',
             'message': 'user account updated',
-            'data': auth_user.serialize(),
+            'data': auth_user.serialize(auth_user),
         }
 
     except (exc.IntegrityError, exc.OperationalError, ValueError) as e:
@@ -872,7 +872,7 @@ def edit_user_preferences(auth_user: User) -> Union[Dict, HttpResponse]:
         return {
             'status': 'success',
             'message': 'user preferences updated',
-            'data': auth_user.serialize(),
+            'data': auth_user.serialize(auth_user),
         }
 
     # handler errors

fittrackee/users/models.py

@@ -11,6 +11,8 @@ from sqlalchemy.sql.expression import select
 from fittrackee import bcrypt, db
 from fittrackee.workouts.models import Workout
 
+from .exceptions import UserNotFoundException
+from .roles import UserRole
 from .utils.token import decode_user_token, get_user_token
 
 BaseModel: DeclarativeMeta = db.Model
@@ -109,7 +111,18 @@ class User(BaseModel):
             .label('workouts_count')
         )
 
-    def serialize(self) -> Dict:
+    def serialize(self, current_user: 'User') -> Dict:
+        role = (
+            UserRole.AUTH_USER
+            if current_user.id == self.id
+            else UserRole.ADMIN
+            if current_user.admin
+            else UserRole.USER
+        )
+
+        if role == UserRole.USER:
+            raise UserNotFoundException()
+
         sports = []
         total = (0, '0:00:00')
         if self.workouts_count > 0:  # type: ignore
@@ -127,30 +140,40 @@ class User(BaseModel):
                 .filter(Workout.user_id == self.id)
                 .first()
             )
-        return {
-            'username': self.username,
-            'email': self.email,
-            'created_at': self.created_at,
+
+        serialized_user = {
             'admin': self.admin,
+            'bio': self.bio,
+            'birth_date': self.birth_date,
+            'created_at': self.created_at,
+            'email': self.email,
+            'email_to_confirm': self.email_to_confirm,
             'first_name': self.first_name,
             'last_name': self.last_name,
-            'bio': self.bio,
             'location': self.location,
-            'birth_date': self.birth_date,
-            'picture': self.picture is not None,
-            'timezone': self.timezone,
-            'weekm': self.weekm,
-            'language': self.language,
             'nb_sports': len(sports),
             'nb_workouts': self.workouts_count,
+            'picture': self.picture is not None,
             'records': [record.serialize() for record in self.records],
             'sports_list': [
                 sport for sportslist in sports for sport in sportslist
             ],
             'total_distance': float(total[0]),
             'total_duration': str(total[1]),
-            'imperial_units': self.imperial_units,
+            'username': self.username,
         }
+        if role == UserRole.AUTH_USER:
+            serialized_user = {
+                **serialized_user,
+                **{
+                    'imperial_units': self.imperial_units,
+                    'language': self.language,
+                    'timezone': self.timezone,
+                    'weekm': self.weekm,
+                },
+            }
+
+        return serialized_user
 
 
 class UserSportPreference(BaseModel):

fittrackee/users/roles.py

@@ -0,0 +1,7 @@
+from enum import Enum
+
+
+class UserRole(Enum):
+    ADMIN = 'admin'
+    AUTH_USER = 'auth_user'
+    USER = 'user'

fittrackee/users/users.py

@@ -50,7 +50,7 @@ def set_admin(username: str) -> None:
 
 
 @users_blueprint.route('/users', methods=['GET'])
-@authenticate
+@authenticate_as_admin
 def get_users(auth_user: User) -> Dict:
     """
     Get all users
@@ -227,7 +227,7 @@ def get_users(auth_user: User) -> Dict:
     users = users_pagination.items
     return {
         'status': 'success',
-        'data': {'users': [user.serialize() for user in users]},
+        'data': {'users': [user.serialize(auth_user) for user in users]},
         'pagination': {
             'has_next': users_pagination.has_next,
             'has_prev': users_pagination.has_prev,
@@ -239,7 +239,7 @@ def get_users(auth_user: User) -> Dict:
 
 
 @users_blueprint.route('/users/<user_name>', methods=['GET'])
-@authenticate
+@authenticate_as_admin
 def get_single_user(
     auth_user: User, user_name: str
 ) -> Union[Dict, HttpResponse]:
@@ -345,7 +345,7 @@ def get_single_user(
         if user:
             return {
                 'status': 'success',
-                'data': {'users': [user.serialize()]},
+                'data': {'users': [user.serialize(auth_user)]},
             }
     except ValueError:
         pass
@@ -581,7 +581,7 @@ def update_user(auth_user: User, user_name: str) -> Union[Dict, HttpResponse]:
 
         return {
             'status': 'success',
-            'data': {'users': [user.serialize()]},
+            'data': {'users': [user.serialize(auth_user)]},
         }
     except exc.StatementError as e:
         return handle_error_and_return_response(e, db=db)