add secure on write partner data

author: Rafi Zadanly <zadanlyr@gmail.com> 2023-02-23 10:51:39 +0700
committer: Rafi Zadanly <zadanlyr@gmail.com> 2023-02-23 10:51:39 +0700
commit: 58602284da96024060a553e12245638004d8f95f (patch)
tree: f10a05f6f36d729dd409806411e23d95fb23fb60 /indoteknik_api/controllers/api_v1
parent: 5c9214c1c846e61c5356e1b19341b070c2303198 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/indoteknik_api/controllers/api_v1/partner.py b/indoteknik_api/controllers/api_v1/partner.py
index 8c7dbd57..ba59a1ce 100644
--- a/indoteknik_api/controllers/api_v1/partner.py
+++ b/indoteknik_api/controllers/api_v1/partner.py
@@ -83,8 +83,9 @@ class Partner(controller.Controller):
 
     @http.route(prefix + 'partner/<id>', auth='public', methods=['PUT', 'OPTIONS'], csrf=False)
     def write_partner_by_id(self, **kw):
-        if not self.authenticate():
-            return self.response(code=401, description='Unauthorized')
+        user_token = self.authenticate()
+        if not user_token:
+            return self.unauthorized_response()
 
         params = self.get_request_params(kw, {
             'id': ['required', 'number'],
@@ -101,7 +102,10 @@ class Partner(controller.Controller):
         partner = request.env[self._name].search([('id', '=', params['value']['id'])], limit=1)
         if not partner:
             return self.response(code=404, description='User not found')
-        
+
+        if user_token['partner_id'] not in self.get_partner_child_ids(partner.id): 
+            return self.unauthorized_response()
+            
         partner.write(params['value'])
 
         return self.response({
author	Rafi Zadanly <zadanlyr@gmail.com>	2023-02-23 10:51:39 +0700
committer	Rafi Zadanly <zadanlyr@gmail.com>	2023-02-23 10:51:39 +0700
commit	58602284da96024060a553e12245638004d8f95f (patch)
tree	f10a05f6f36d729dd409806411e23d95fb23fb60 /indoteknik_api/controllers/api_v1
parent	5c9214c1c846e61c5356e1b19341b070c2303198 (diff)