feat: admin permissions required to view profile details

opportunity-hack · Jul 31, 2024 · 82bfa37 · 82bfa37
1 parent aab0014
commit 82bfa37
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/api/messages/messages_service.py b/api/messages/messages_service.py
@@ -1235,6 +1235,22 @@ def get_profile_metadata_old(propel_id):
 
     return Message(response)
 
+
+def get_all_profiles():
+    db = get_db()
+    docs = db.collection('users').stream()  # steam() gets all records
+    if docs is None:
+        return {[]}
+    else:
+        results = []
+        for doc in docs:
+            results.append(doc_to_json(docid=doc.id, doc=doc))
+
+    # log result
+    logger.info(results)        
+    return { "profiles": results }
+
+
 # Caching is not needed because the parent method already is caching
 @limits(calls=100, period=ONE_MINUTE)
 def get_history_old(db_id):

diff --git a/api/messages/messages_views.py b/api/messages/messages_views.py
@@ -35,7 +35,8 @@
     link_problem_statements_to_events_old,
     save_news,
     save_lead_async,
-    get_news
+    get_news,
+    get_all_profiles
 )
 
 
@@ -273,3 +274,16 @@ def save_profile():
 def get_profile_by_id(id):
     return get_user_by_id_old(id)
 
+
+def getOrgId(req):
+    # Ref: https://docs.propelauth.com/reference/backend-apis/flask#req-to-org-id
+    return "77f70865-7da9-4588-850b-a5ebb6974410" # PropelAuth wants you to pass this in as a req param, but let's keep it simple
+
+
+# Used to provide profile details - user must be logged in
+@bp.route("/admin/profiles", methods=["GET"])
+@auth.require_org_member_with_permission("profile.admin", req_to_org_id=getOrgId)
+def all_profiles():                            
+        return get_all_profiles()
+
+