feat: add FETCH_PRICE permission for manual price fetch endpoint
The POST /api/audit/price-history/fetch endpoint now requires FETCH_PRICE permission instead of VIEW_AUDIT, which is more semantically correct since it's a write operation.
This commit is contained in:
parent
54709888e1
commit
3806361fac
GPG key ID:
883EDBAA726BD96C
4 changed files with 5 additions and 2 deletions
|
|
@ -39,6 +39,7 @@ class Permission(str, PyEnum):
|
||||||
|
|
||||||
# Audit permissions
|
# Audit permissions
|
||||||
VIEW_AUDIT = "view_audit"
|
VIEW_AUDIT = "view_audit"
|
||||||
|
FETCH_PRICE = "fetch_price"
|
||||||
|
|
||||||
# Profile permissions
|
# Profile permissions
|
||||||
MANAGE_OWN_PROFILE = "manage_own_profile"
|
MANAGE_OWN_PROFILE = "manage_own_profile"
|
||||||
|
|
@ -84,6 +85,7 @@ ROLE_DEFINITIONS: dict[str, RoleConfig] = {
|
||||||
"description": "Administrator with audit/invite/appointment access",
|
"description": "Administrator with audit/invite/appointment access",
|
||||||
"permissions": [
|
"permissions": [
|
||||||
Permission.VIEW_AUDIT,
|
Permission.VIEW_AUDIT,
|
||||||
|
Permission.FETCH_PRICE,
|
||||||
Permission.MANAGE_INVITES,
|
Permission.MANAGE_INVITES,
|
||||||
Permission.MANAGE_AVAILABILITY,
|
Permission.MANAGE_AVAILABILITY,
|
||||||
Permission.VIEW_ALL_APPOINTMENTS,
|
Permission.VIEW_ALL_APPOINTMENTS,
|
||||||
|
|
|
||||||
|
|
@ -190,7 +190,7 @@ async def get_price_history(
|
||||||
@router.post("/price-history/fetch", response_model=PriceHistoryResponse)
|
@router.post("/price-history/fetch", response_model=PriceHistoryResponse)
|
||||||
async def fetch_price_now(
|
async def fetch_price_now(
|
||||||
db: AsyncSession = Depends(get_db),
|
db: AsyncSession = Depends(get_db),
|
||||||
_current_user: User = Depends(require_permission(Permission.VIEW_AUDIT)),
|
_current_user: User = Depends(require_permission(Permission.FETCH_PRICE)),
|
||||||
) -> PriceHistoryResponse:
|
) -> PriceHistoryResponse:
|
||||||
"""Manually trigger a price fetch from Bitfinex."""
|
"""Manually trigger a price fetch from Bitfinex."""
|
||||||
price, timestamp = await fetch_btc_eur_price()
|
price, timestamp = await fetch_btc_eur_price()
|
||||||
|
|
|
||||||
|
|
@ -215,7 +215,7 @@ class TestManualFetch:
|
||||||
assert response.status_code == 401
|
assert response.status_code == 401
|
||||||
|
|
||||||
@pytest.mark.asyncio
|
@pytest.mark.asyncio
|
||||||
async def test_requires_view_audit_permission(self, client_factory, regular_user):
|
async def test_requires_fetch_price_permission(self, client_factory, regular_user):
|
||||||
"""Verify regular users cannot trigger manual fetch."""
|
"""Verify regular users cannot trigger manual fetch."""
|
||||||
async with client_factory.create(cookies=regular_user["cookies"]) as authed:
|
async with client_factory.create(cookies=regular_user["cookies"]) as authed:
|
||||||
response = await authed.post("/api/audit/price-history/fetch")
|
response = await authed.post("/api/audit/price-history/fetch")
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ export const Permission: Record<string, PermissionType> = {
|
||||||
INCREMENT_COUNTER: "increment_counter",
|
INCREMENT_COUNTER: "increment_counter",
|
||||||
USE_SUM: "use_sum",
|
USE_SUM: "use_sum",
|
||||||
VIEW_AUDIT: "view_audit",
|
VIEW_AUDIT: "view_audit",
|
||||||
|
FETCH_PRICE: "fetch_price",
|
||||||
MANAGE_OWN_PROFILE: "manage_own_profile",
|
MANAGE_OWN_PROFILE: "manage_own_profile",
|
||||||
MANAGE_INVITES: "manage_invites",
|
MANAGE_INVITES: "manage_invites",
|
||||||
VIEW_OWN_INVITES: "view_own_invites",
|
VIEW_OWN_INVITES: "view_own_invites",
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue