block inactive services from making stateful changes

in the NotifyAdminAPIClient, which all api traffic goes through, return 403 for any stateful requests (post, put and delete), if the following criteria have been met: * a current_service is set (this prevents checks being carried out on non-service related updates, eg editing user details) * the service is not active * the current user is not a platform admin so platform admins can still update anything. Note: Without any specific error handling, the user will see a generic 403 page. This is fine, probably - it's a relatively niche case that you'll be editing a service you can't get to anyway
2026-02-06 03:13:42 -05:00 · 2016-12-09 15:44:58 +00:00
parent 255ce158b7
commit d56b7b9a58
1 changed files with 0 additions and 4 deletions
--- a/app/notify_client/init.py
+++ b/app/notify_client/init.py
@@ -34,13 +34,9 @@ class NotifyAdminAPIClient(BaseAPIClient):

        # if the current service is inactive and the user isn't a platform admin, we should block them from making any
        # stateful modifications to that service
-        print('\n\n\n')
-        print(current_service)
-        print(current_user)
        if current_service and not current_service['active'] and not current_user.platform_admin:
            abort(403)

-
    def post(self, *args, **kwargs):
        self.check_inactive_service()
        return super().post(*args, **kwargs)