fix(backend): Invite must search user in database

2021-12-17 14:50:42 +01:00 · 2021-12-17 14:50:42 +01:00 · 62599898d0
parent 90219c5ddd
commit 62599898d0
1 changed files with 5 additions and 7 deletions
--- a/backend/flaschengeist_events/routes.py
+++ b/backend/flaschengeist_events/routes.py
@ -471,7 +471,7 @@ def invite(current_session: Session):
    Route: ``/events/invites`` | Method: ``POST``
-    POST-data: ``{job: number, invitees: string[], is_transfer?: boolean}``
+    POST-data: ``{job: number, invitees: string[], transferee?: string}``
    Args:
        current_session: Session sent with Authorization Header
@ -481,10 +481,8 @@ def invite(current_session: Session):
    """
    data = request.get_json()
    transferee = data.get("transferee", None)
-    if (
+    if transferee is not None and (
-        transferee is not None
+        transferee != current_session.userid or not current_session.user_.has_permission(permissions.ASSIGN_OTHER)
        and transferee != current_session.userid
        and not current_session.user_.has_permission(permissions.ASSIGN_OTHER)
    ):
        raise Forbidden
@ -494,11 +492,11 @@ def invite(current_session: Session):
            raise BadRequest
        return jsonify(
            [
-                event_controller.invite(job, invitee, current_session.user_, transferee)
+                event_controller.invite(job, invitee, current_session.user_, userController.get_user(transferee) if transferee else None)
                for invitee in [userController.get_user(uid) for uid in data["invitees"]]
            ]
        )
-    except (TypeError, KeyError, ValueError):
+    except (TypeError, KeyError, ValueError, NotFound):
        raise BadRequest