From 2e77855fe9ef03ae5477c29a8def3130e61ffb1b Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <rpm@fthiessen.de>
Date: Fri, 13 Nov 2020 03:57:23 +0100
Subject: [PATCH] [System] Fixed HTTP status when user has insufficient
 permission

---
 flaschengeist/controller/sessionController.py | 17 +++++++++++------
 flaschengeist/decorator.py                    |  3 ---
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/flaschengeist/controller/sessionController.py b/flaschengeist/controller/sessionController.py
index 7d5e3e8..499913e 100644
--- a/flaschengeist/controller/sessionController.py
+++ b/flaschengeist/controller/sessionController.py
@@ -2,13 +2,13 @@ import secrets
 from flaschengeist.models.session import Session
 from flaschengeist.database import db
 from flaschengeist import logger
-from werkzeug.exceptions import Forbidden
+from werkzeug.exceptions import Forbidden, Unauthorized
 from datetime import datetime, timezone
 
 lifetime = 1800
 
 
-def validate_token(token, user_agent, permissions):
+def validate_token(token, user_agent, permission):
     """Verify session
 
     Verify a Session and Roles so if the User has permission or not.
@@ -17,9 +17,12 @@ def validate_token(token, user_agent, permissions):
     Args:
         token: Token to verify.
         user_agent: User agent of browser to check
-        permissions: Permissions needed to access restricted routes
+        permission: Permission needed to access restricted routes
     Returns:
-        A Session for this given Token or False.
+        A Session for this given Token
+    Raises:
+        Unauthorized: If token is invalid or expired
+        Forbidden: If permission is insufficient
     """
     logger.debug("check token {{ {} }} is valid".format(token))
     session = Session.query.filter_by(token=token).one_or_none()
@@ -28,15 +31,17 @@ def validate_token(token, user_agent, permissions):
         if session.expires >= datetime.now(timezone.utc) and (
             session.browser == user_agent.browser and session.platform == user_agent.platform
         ):
-            if not permissions or session._user.has_permission(permissions):
+            if not permission or session._user.has_permission(permission):
                 session.refresh()
                 db.session.commit()
                 return session
+            else:
+                raise Forbidden
         else:
             logger.debug("access token is out of date or invalid client used")
             delete_session(session)
     logger.debug("no valid access token with token: {{ {} }} and permissions: {{ {} }}".format(token, permissions))
-    return False
+    raise Unauthorized
 
 
 def create(user, user_agent=None) -> Session:
diff --git a/flaschengeist/decorator.py b/flaschengeist/decorator.py
index e29fb4a..18ded1a 100644
--- a/flaschengeist/decorator.py
+++ b/flaschengeist/decorator.py
@@ -15,9 +15,6 @@ def extract_session(permission=None):
         raise Unauthorized
 
     session = sessionController.validate_token(token, request.user_agent, permission)
-    if not session:
-        logger.debug("token {{ {} }} is invalid".format(token))
-        raise Unauthorized
     return session