Lock down POSTing for heart admin

opportunity-hack · Jul 31, 2024 · a4b5a66 · a4b5a66
1 parent 1e189e3
commit a4b5a66
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/api/hearts/hearts_views.py b/api/hearts/hearts_views.py
@@ -23,8 +23,12 @@ def get_hearts():
     print(f"res: {res}")
     return {"hearts": res}
 
+def getOrgId(req):
+    # Get the org_id from the req
+    return req.headers.get("X-Org-Id")
+
 @bp.route("/hearts", methods=["POST"])
-@auth.require_user
+@auth.require_org_member_with_permission("heart.admin", req_to_org_id=getOrgId)
 def save_hearts():        
     print("save_hearts")
     if auth_user and auth_user.user_id: