make sure only admin users can use the preview mode

521bff66 · Remco Tukker · e166c541 · 521bff66 · 521bff66 · 521bff66
Commit 521bff66 authored Sep 24, 2023 by Remco Tukker
--- a/compendium-frontend/src/helpers/usePreview.tsx
+++ b/compendium-frontend/src/helpers/usePreview.tsx
 import { useContext, useEffect } from "react";
 import { PreviewContext } from "./PreviewProvider";
 import { useSearchParams } from "react-router-dom";
+import { userContext } from "../shared/UserProvider";


 export function usePreview() {
    const { preview, setPreview } = useContext(PreviewContext);
+    const { user } = useContext(userContext);
    const [searchParams] = useSearchParams();

    const previewParameter = searchParams.get('preview');

    useEffect(() => {
-        if (previewParameter !== null) {
+        if (previewParameter !== null && user.permissions.admin) {
            setPreview(true);
        }
-    }, [previewParameter, setPreview]);
+    }, [previewParameter, setPreview, user]);

    return preview;
 }
\ No newline at end of file
--- a/compendium_v2/routes/common.py
+++ b/compendium_v2/routes/common.py
@@ -7,6 +7,7 @@ from compendium_v2 import db
 from compendium_v2.db.presentation_models import NREN, PreviewYear

 from flask import Response, request
+from flask_login import current_user  # type: ignore
 from sqlalchemy import select

 logger = logging.getLogger(__name__)
@@ -63,7 +64,8 @@ def after_request(response):

 def get_data(table_class):
    select_statement = select(table_class).join(NREN).order_by(NREN.name.asc(), table_class.year.desc())
-    preview = request.args.get('preview') is not None
+    is_admin = (not current_user.is_anonymous) and current_user.is_admin
+    preview = is_admin and request.args.get('preview') is not None
    if not preview:
        select_statement = select_statement.where(table_class.year.not_in(select(PreviewYear.year)))
    return db.session.scalars(select_statement)
--- a/compendium_v2/static/bundle.js
+++ b/compendium_v2/static/bundle.js
--- a/test/test_budget.py
+++ b/test/test_budget.py
@@ -15,7 +15,7 @@ def test_budget_response(client, test_budget_data):
    assert result


-def test_budget_response_preview(app, client, test_budget_data):
+def test_budget_response_preview(app, client, test_budget_data, mocked_admin_user):
    rv = client.get(
        '/api/budget/',
        headers={'Accept': ['application/json']})