0

i want to set up edit/delete permission for creator only. The main problem is in Frontend any user can update and delete without creator permission. I tried uuid for not guessing the id value. But the problem is still there.

def create_user_education(request: schemas.StudentEducation, db: Session,current_user: My_Education = Depends(oauth2.get_current_user)):
        try:
            uid = str(uuid.uuid4().hex)
            new_education = My_Education(id=uid,user_id=request.user_id,institute=request.institute,website=request.website,country=request.country,city=request.city,degree=request.degree,start_date=request.start_date + timedelta(hours=+6),end_date=request.end_date + timedelta(hours=+6),description=request.description)
                 
                

            db.add(new_education)
            db.commit()
            db.refresh(new_education)
            return {properties.create_message}
        except SQLAlchemyError:
            raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
                                detail=properties.error_message)



def update_user_education(id: str,  request: schemas.StudentEducation, db: Session,current_user: My_Education = Depends(oauth2.get_current_user)):
        try:
            education = db.query(My_Education).filter(My_Education.id == id)
            if not education.first():
                raise HTTPException(status_code=status.HTTP_404_NOT_FOUND,
                                detail=f"user educaton  with id {id} not found")
            
            education.update({'user_id':request.user_id,'institute':request.institute,'website':request.website,'country':request.country,'city':request.city,'degree':request.degree,'start_date':request.start_date + timedelta(hours=+6),'end_date':request.end_date + timedelta(hours=+6),'description':request.description})
            
            db.commit()
            return {properties.update_message}
        except SQLAlchemyError:
            raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
                                detail=properties.error_message)

Like i want that

"id": "a8a8caa2f94f492c9a8e72276d116a3c",
"user_id": 2,
"institute": "Texas_high_school",
"website": "https://mjrgeorge.netlify.app/",
"country": "Denmark",
"city": "   Copenhagen",
"degree": "MBA",
"start_date": "2007-02-06T00:00:00",
"end_date": "2008-02-21T00:00:00",
"description": "Hello description Hello description Hello description Hello description "

Only

 **"id":"a8a8caa2f94f492c9a8e72276d116a3c",
 "user_id": 2,

can update and delete themselves. No one else

Here is my model class:

class My_Education(Base):
    __tablename__ = properties.My_Education

    id = Column(String, primary_key=True, index=True)
    user_id=Column(Integer, ForeignKey('tbl_stu_usr-users.id'))
    institute=Column(String)
    website=Column(String)
    country=Column(String)
    city=Column(String)
    degree=Column(String)
    start_date=Column(DateTime)
    end_date=Column(DateTime)
    description=Column(String)
Soumick Apon
  • 9
  • 4

1 Answers1

0

You should have an authentication. To elaborate, the intended user should first login. You can issue a login token, which you can later validate before updating.

How do you do that?

There are many ways, I’ll add a few links below for reference, you may use any of it.

  1. Simple solution from docs
  2. FastAPI users project
Irfanuddin
  • 2,295
  • 1
  • 15
  • 29