From e3c128c4fd346ecd45876002cdb9d6f43ee13559 Mon Sep 17 00:00:00 2001
From: msramalho <19508417+msramalho@users.noreply.github.com>
Date: Tue, 17 Oct 2023 16:08:35 +0100
Subject: [PATCH] adds access control to new endpoint

---
 src/db/crud.py | 13 +++++++------
 src/main.py    |  6 +++---
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/db/crud.py b/src/db/crud.py
index f4cac35..b3e444a 100644
--- a/src/db/crud.py
+++ b/src/db/crud.py
@@ -14,12 +14,13 @@ DOMAIN_GROUPS_LOADED = False
 # --------------- TASK = Archive
 
 
-def get_task(db: Session, task_id: str):
-    return base_query(db).filter(models.Archive.id == task_id).first()
-
-
-def get_tasks(db: Session, skip: int = 0, limit: int = 100):
-    return base_query(db).offset(skip).limit(limit).all()
+def get_task(db: Session, task_id: str, email: str):
+    email = email.lower()
+    query = base_query(db).filter(models.Archive.id == task_id)
+    if email != ALLOW_ANY_EMAIL:
+        groups = get_user_groups(db, email)
+        query = query.filter(or_(models.Archive.public == True, models.Archive.author_id == email, models.Archive.group_id.in_(groups)))
+    return query.first()
 
 
 def search_tasks_by_url(db: Session, url: str, email: str, skip: int = 0, limit: int = 100, archived_after: datetime = None, archived_before: datetime = None):
diff --git a/src/main.py b/src/main.py
index 0ed4a71..ab8aeab 100644
--- a/src/main.py
+++ b/src/main.py
@@ -25,7 +25,7 @@ load_dotenv()
 
 # Configuration
 ALLOWED_ORIGINS = os.environ.get("ALLOWED_ORIGINS", "chrome-extension://ondkcheoicfckabcnkdgbepofpjmjcmb,chrome-extension://ojcimmjndnlmmlgnjaeojoebaceokpdp").split(",")
-VERSION = "0.5.4"
+VERSION = "0.5.5"
 
 # min-version refers to the version of auto-archiver-extension on the webstore
 BREAKING_CHANGES = {"minVersion": "0.3.1", "message": "The latest update has breaking changes, please update the extension to the most recent version."}
@@ -101,8 +101,8 @@ def archive_tasks(archive:schemas.ArchiveCreate, email = Depends(get_bearer_auth
     return JSONResponse({"id": task.id})
 
 @app.get("/archive/{task_id}")
-def lookup(task_id, db: Session = Depends(get_db), email = Depends(get_bearer_auth)):
-    return crud.get_task(db, task_id)
+def lookup(task_id, db: Session = Depends(get_db), email = Depends(get_bearer_auth_token_or_jwt)):
+    return crud.get_task(db, task_id, email)
 
 @app.get("/tasks/{task_id}")
 def get_status(task_id, email = Depends(get_bearer_auth)):