mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-20 15:31:15 -05:00
36f41c23e1
Currently there aren't any permission checks based on folder IDs in the admin app or the API, so it's possible for a user to modify the folder ID to perform operations on folders outside their service. Our usual way to avoid this is to always use service_id filter when fetching objects from the database.
26 lines
643 B
Python
26 lines
643 B
Python
from app import db
|
|
from app.dao.dao_utils import transactional
|
|
from app.models import TemplateFolder
|
|
|
|
|
|
def dao_get_template_folder_by_id_and_service_id(template_folder_id, service_id):
|
|
return TemplateFolder.query.filter(
|
|
TemplateFolder.id == template_folder_id,
|
|
TemplateFolder.service_id == service_id
|
|
).one()
|
|
|
|
|
|
@transactional
|
|
def dao_create_template_folder(template_folder):
|
|
db.session.add(template_folder)
|
|
|
|
|
|
@transactional
|
|
def dao_update_template_folder(template_folder):
|
|
db.session.add(template_folder)
|
|
|
|
|
|
@transactional
|
|
def dao_delete_template_folder(template_folder):
|
|
db.session.delete(template_folder)
|