Add authentication support

1 files changed, 12 insertions, 4 deletions

diff --git a/inventory/api.py b/inventory/api.py
index d374ad1..388a698 100644
--- a/inventory/api.py
+++ b/inventory/api.py
@@ -19,6 +19,7 @@ from .schema import NodeSchema
 mongo = PyMongo(current_app, tz_aware=True)
 mongo.db.nodes.create_index([('fields.value', pymongo.TEXT), ('name', pymongo.TEXT)], name='fields.value_text_name_text')
 mongo.db.nodes.create_index([('parent_id', pymongo.ASCENDING)], name='parent_id')
+mongo.db.nodes.create_index([('user_id', pymongo.ASCENDING)], name='user_id')
 
 app = Blueprint('api', __name__)
 
@@ -74,6 +75,7 @@ def auth_required(f):
 
 # Routes
 @app.route('/nodes')
+@auth_required
 def root_nodes():
     schema = NodeSchema(many=True)
     data = schema.dump(mongo.db.nodes.find({'parent_id': None}))
@@ -81,6 +83,7 @@ def root_nodes():
 
 
 @app.route('/nodes', methods=['POST'])
+@auth_required
 def add_node():
     data = request.json
     if data is None or not isinstance(data, dict):
@@ -88,6 +91,7 @@ def add_node():
     schema = NodeSchema()
     node = schema.load(data)
     node['created_at'] = pytz.utc.localize(datetime.datetime.utcnow())
+    node['user_id'] = g.user['_id']
     result = mongo.db.nodes.insert_one(node)
     if not result.acknowledged:
         abort(500, 'Write operation not acknowledged')
@@ -96,9 +100,10 @@ def add_node():
 
 
 @app.route('/nodes/<ObjectId:node_id>')
+@auth_required
 def node(node_id):
     result = mongo.db.nodes.aggregate([
-        {'$match': {'_id': node_id}},
+        {'$match': {'_id': node_id, 'user_id': g.user['_id']}},
         {
             '$graphLookup': {
                 'from': 'nodes',
@@ -147,6 +152,7 @@ def node(node_id):
 
 
 @app.route('/nodes/<ObjectId:node_id>', methods=['PUT'])
+@auth_required
 def update_node(node_id):
     data = request.json
     if data is None or not isinstance(data, dict):
@@ -154,26 +160,28 @@ def update_node(node_id):
     schema = NodeSchema()
     node = schema.load(data)
     node['updated_at'] = pytz.utc.localize(datetime.datetime.utcnow())
-    result = mongo.db.nodes.update_one({'_id': node_id}, {'$set': node})
+    result = mongo.db.nodes.update_one({'_id': node_id, 'user_id': g.user['_id']}, {'$set': node})
     if not result.acknowledged:
         abort(500, 'Write operation not acknowledged')
     return '', 204
 
 
 @app.route('/nodes/<ObjectId:node_id>', methods=['DELETE'])
+@auth_required
 def delete_node(node_id):
-    result = mongo.db.nodes.delete_one({'_id': node_id})
+    result = mongo.db.nodes.delete_one({'_id': node_id, 'user_id': g.user['_id']})
     if result.deleted_count == 0:
         abort(404, 'No node found')
     return jsonify({}), 204
 
 
 @app.route('/search', methods=['POST'])
+@auth_required
 def find_nodes():
     if 'q' not in request.form:
         abort(400, 'Missing q argument')
     schema = NodeSchema(many=True)
-    data = schema.dump(mongo.db.nodes.find({'$text': {'$search': request.form['q']}}))
+    data = schema.dump(mongo.db.nodes.find({'$text': {'$search': request.form['q']}, 'user_id': g.user['_id']}))
     return jsonify(data)