Fix permission check (#456)

* Fix admin check * Fix some more edge-cases and tests
thunderbird · Jun 6, 2024 · 2f4e765 · 2f4e765
1 parent 8f3fa02
commit 2f4e765
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/backend/src/appointment/dependencies/auth.py b/backend/src/appointment/dependencies/auth.py
@@ -71,7 +71,7 @@ def get_admin_subscriber(
     admin_emails = os.getenv("APP_ADMIN_ALLOW_LIST")
 
     # Raise an error if we don't have any admin emails specified
-    if not admin_emails:
+    if not admin_emails or not user:
         raise InvalidPermissionLevelException()
 
     admin_emails = admin_emails.split(',')

diff --git a/backend/src/appointment/routes/auth.py b/backend/src/appointment/routes/auth.py
@@ -284,7 +284,10 @@ def me(
 @router.post("/permission-check")
 def permission_check(subscriber: Subscriber = Depends(get_admin_subscriber)):
     """Checks if they have admin permissions"""
-    return subscriber.is_deleted
+    # This should already be covered, but just in case!
+    if subscriber.is_deleted:
+        raise validation.InvalidPermissionLevelException()
+    return True  # Covered by get_admin_subscriber
 
 
 # @router.get('/test-create-account')

diff --git a/backend/test/integration/test_auth.py b/backend/test/integration/test_auth.py
@@ -15,6 +15,18 @@ def test_me(self, with_db, with_client):
         assert data.get('secondary_email') is None
         assert data.get('preferred_email') == os.getenv('TEST_USER_EMAIL')
 
+    def test_permission_check_with_deleted_subscriber(self, with_client, with_db):
+        os.environ['APP_ADMIN_ALLOW_LIST'] = '@example.org'
+
+        with with_db() as db:
+            subscriber = repo.subscriber.get_by_email(db, os.getenv('TEST_USER_EMAIL'))
+            db.delete(subscriber)
+            db.commit()
+
+        response = with_client.post('/permission-check',
+                                    headers=auth_headers)
+        assert response.status_code == 401, response.text
+
     def test_permission_check_with_no_admin_email(self, with_client):
         os.environ['APP_ADMIN_ALLOW_LIST'] = ''