From 1015bdf5e6c5b802d5e4725a61dfca94f73ab8cb Mon Sep 17 00:00:00 2001 From: Max Chis Date: Wed, 17 Dec 2025 14:53:27 -0500 Subject: [PATCH] Remove special permission access for annotate endpoint --- src/api/endpoints/annotate/routes.py | 6 +++--- src/security/manager.py | 5 +++++ tests/automated/integration/conftest.py | 3 ++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/api/endpoints/annotate/routes.py b/src/api/endpoints/annotate/routes.py index 1633eb5a..ee3cc3c7 100644 --- a/src/api/endpoints/annotate/routes.py +++ b/src/api/endpoints/annotate/routes.py @@ -15,7 +15,7 @@ from src.core.core import AsyncCore from src.db.queries.implementations.anonymous_session import MakeAnonymousSessionQueryBuilder from src.security.dtos.access_info import AccessInfo -from src.security.manager import get_access_info +from src.security.manager import get_access_info, get_standard_user_access_info annotate_router = APIRouter( prefix="/annotate", @@ -76,7 +76,7 @@ async def annotate_url_for_all_annotations_and_get_next_url_anonymous( @annotate_router.get("/all") async def get_next_url_for_all_annotations( - access_info: AccessInfo = Depends(get_access_info), + access_info: AccessInfo = Depends(get_standard_user_access_info), async_core: AsyncCore = Depends(get_async_core), batch_id: int | None = batch_query, anno_url_id: int | None = url_id_query @@ -92,7 +92,7 @@ async def annotate_url_for_all_annotations_and_get_next_url( url_id: int, all_annotation_post_info: AllAnnotationPostInfo, async_core: AsyncCore = Depends(get_async_core), - access_info: AccessInfo = Depends(get_access_info), + access_info: AccessInfo = Depends(get_standard_user_access_info), batch_id: int | None = batch_query, anno_url_id: int | None = url_id_query ) -> GetNextURLForAllAnnotationResponse: diff --git a/src/security/manager.py b/src/security/manager.py index 16f0519e..abeade07 100644 --- a/src/security/manager.py +++ b/src/security/manager.py @@ -69,6 +69,11 @@ def get_access_info( ) -> AccessInfo: return SecurityManager().check_access(token, Permissions.SOURCE_COLLECTOR) +def get_standard_user_access_info( + token: Annotated[str, Depends(oauth2_scheme)] +) -> AccessInfo: + return SecurityManager().validate_token(token) + def require_permission(permission: Permissions): def dependency(token: Annotated[str, Depends(oauth2_scheme)]) -> AccessInfo: return SecurityManager().check_access(token, permission=permission) diff --git a/tests/automated/integration/conftest.py b/tests/automated/integration/conftest.py index 19a9fe19..22537d20 100644 --- a/tests/automated/integration/conftest.py +++ b/tests/automated/integration/conftest.py @@ -19,7 +19,7 @@ from src.db.models.impl.url.core.sqlalchemy import URL from src.security.dtos.access_info import AccessInfo from src.security.enums import Permissions -from src.security.manager import get_access_info +from src.security.manager import get_access_info, get_standard_user_access_info from tests.automated.integration.api._helpers.RequestValidator import RequestValidator from tests.helpers.api_test_helper import APITestHelper from tests.helpers.data_creator.core import DBDataCreator @@ -135,6 +135,7 @@ def override_access_info() -> AccessInfo: def client(disable_task_flags) -> Generator[TestClient, None, None]: with TestClient(app) as c: app.dependency_overrides[get_access_info] = override_access_info + app.dependency_overrides[get_standard_user_access_info] = override_access_info async_core: AsyncCore = c.app.state.async_core # Interfaces to the web should be mocked