summaryrefslogtreecommitdiff
path: root/indoteknik_api/controllers/api_v1
diff options
context:
space:
mode:
Diffstat (limited to 'indoteknik_api/controllers/api_v1')
-rw-r--r--indoteknik_api/controllers/api_v1/partner.py10
1 files changed, 7 insertions, 3 deletions
diff --git a/indoteknik_api/controllers/api_v1/partner.py b/indoteknik_api/controllers/api_v1/partner.py
index 8c7dbd57..ba59a1ce 100644
--- a/indoteknik_api/controllers/api_v1/partner.py
+++ b/indoteknik_api/controllers/api_v1/partner.py
@@ -83,8 +83,9 @@ class Partner(controller.Controller):
@http.route(prefix + 'partner/<id>', auth='public', methods=['PUT', 'OPTIONS'], csrf=False)
def write_partner_by_id(self, **kw):
- if not self.authenticate():
- return self.response(code=401, description='Unauthorized')
+ user_token = self.authenticate()
+ if not user_token:
+ return self.unauthorized_response()
params = self.get_request_params(kw, {
'id': ['required', 'number'],
@@ -101,7 +102,10 @@ class Partner(controller.Controller):
partner = request.env[self._name].search([('id', '=', params['value']['id'])], limit=1)
if not partner:
return self.response(code=404, description='User not found')
-
+
+ if user_token['partner_id'] not in self.get_partner_child_ids(partner.id):
+ return self.unauthorized_response()
+
partner.write(params['value'])
return self.response({
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-01 21:35:41 +0000