Auth: Require logged in user to delete registrations, team_registrations and subscriptions

2025-10-16 10:54:20 +02:00
parent 1df2ecbebf
commit bfe40a4837
4 changed files with 40 additions and 15 deletions
--- a/src/meal_manager/main.py
+++ b/src/meal_manager/main.py
@@ -7,7 +7,7 @@ from typing import Annotated

 import starlette.status as status
 from fastapi import Depends, FastAPI, HTTPException, Request, Response
-from fastapi.responses import RedirectResponse, FileResponse
+from fastapi.responses import FileResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
 from sqlalchemy import create_engine, select
@@ -132,7 +132,7 @@ async def past_events(request: Request, session: SessionDep):


@app.get("/subscribe")
-async def subscribe(request: Request, session: SessionDep):
+async def subscribe(request: Request, session: SessionDep, user: UserDep):
    statement = select(Household)
    households = session.scalars(statement)

@@ -146,7 +146,11 @@ async def subscribe(request: Request, session: SessionDep):
    return templates.TemplateResponse(
        request=request,
        name="subscribe.html",
-        context={"households": households, "subscriptions": subscriptions},
+        context={
+            "households": households,
+            "subscriptions": subscriptions,
+            "user": user,
+        },
    )


@@ -187,7 +191,9 @@ async def add_subscribe(request: Request, session: SessionDep):


@app.get("/subscribe/{household_id}/delete")
-async def delete_subscription(request: Request, session: SessionDep, household_id: int):
+async def delete_subscription(
+    request: Request, session: SessionDep, household_id: int, user: StrictUserDep
+):

    statement = select(Subscription).where(Subscription.household_id == household_id)
    sub = session.scalars(statement).one()
@@ -345,7 +351,11 @@ async def add_registration(request: Request, event_id: int, session: SessionDep)

@app.get("/event/{event_id}/registration/{household_id}/delete")
 async def delete_registration(
-    request: Request, event_id: int, household_id: int, session: SessionDep
+    request: Request,
+    event_id: int,
+    household_id: int,
+    session: SessionDep,
+    user: StrictUserDep,
 ):
    """
    Deletes a registration record for a specific household at a given event. This endpoint
@@ -388,6 +398,7 @@ async def delete_team_registration(
    event_id: int,
    entry_id: int,
    session: SessionDep,
+    user: StrictUserDep,
 ):
    statement = select(TeamRegistration).where(TeamRegistration.id == entry_id)
    session.delete(session.scalars(statement).one())