fix: make FrontendType mandatory in require_module_access
The require_module_access dependency was using path-based detection to determine admin vs vendor authentication, which failed for API routes (/api/v1/admin/*) because it only checked for /admin/*. Changes: - Make frontend_type parameter mandatory (was optional with fallback) - Remove path-based detection logic from require_module_access - Update all 33 module route files to pass explicit FrontendType: - 15 admin routes use FrontendType.ADMIN - 18 vendor routes use FrontendType.VENDOR This ensures authentication method is explicitly declared at route definition time, making it independent of URL structure and future-proof for API version changes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -21,6 +21,7 @@ from sqlalchemy.orm import Session
|
||||
|
||||
from app.api.deps import get_current_admin_api, require_module_access
|
||||
from app.core.database import get_db
|
||||
from app.modules.enums import FrontendType
|
||||
from app.modules.orders.services.order_service import order_service
|
||||
from models.schema.auth import UserContext
|
||||
from app.modules.orders.schemas import (
|
||||
@@ -37,7 +38,7 @@ from app.modules.orders.schemas import (
|
||||
# Base router for orders
|
||||
_orders_router = APIRouter(
|
||||
prefix="/orders",
|
||||
dependencies=[Depends(require_module_access("orders"))],
|
||||
dependencies=[Depends(require_module_access("orders", FrontendType.ADMIN))],
|
||||
)
|
||||
|
||||
# Aggregate router that includes both orders and exceptions
|
||||
|
||||
@@ -16,6 +16,7 @@ from sqlalchemy.orm import Session
|
||||
|
||||
from app.api.deps import get_current_admin_api, require_module_access
|
||||
from app.core.database import get_db
|
||||
from app.modules.enums import FrontendType
|
||||
from app.modules.orders.services.order_item_exception_service import order_item_exception_service
|
||||
from models.schema.auth import UserContext
|
||||
from app.modules.orders.schemas import (
|
||||
@@ -33,7 +34,7 @@ logger = logging.getLogger(__name__)
|
||||
admin_exceptions_router = APIRouter(
|
||||
prefix="/order-exceptions",
|
||||
tags=["Order Item Exceptions"],
|
||||
dependencies=[Depends(require_module_access("orders"))],
|
||||
dependencies=[Depends(require_module_access("orders", FrontendType.ADMIN))],
|
||||
)
|
||||
|
||||
|
||||
|
||||
@@ -16,6 +16,7 @@ from sqlalchemy.orm import Session
|
||||
|
||||
from app.api.deps import get_current_vendor_api, require_module_access
|
||||
from app.core.database import get_db
|
||||
from app.modules.enums import FrontendType
|
||||
from app.modules.orders.services.order_inventory_service import order_inventory_service
|
||||
from app.modules.orders.services.order_service import order_service
|
||||
from models.schema.auth import UserContext
|
||||
@@ -29,7 +30,7 @@ from app.modules.orders.schemas import (
|
||||
# Base router for orders
|
||||
_orders_router = APIRouter(
|
||||
prefix="/orders",
|
||||
dependencies=[Depends(require_module_access("orders"))],
|
||||
dependencies=[Depends(require_module_access("orders", FrontendType.VENDOR))],
|
||||
)
|
||||
|
||||
# Aggregate router that includes both orders and exceptions
|
||||
|
||||
@@ -15,6 +15,7 @@ from sqlalchemy.orm import Session
|
||||
|
||||
from app.api.deps import get_current_vendor_api, require_module_access
|
||||
from app.core.database import get_db
|
||||
from app.modules.enums import FrontendType
|
||||
from app.modules.orders.services.order_item_exception_service import order_item_exception_service
|
||||
from models.schema.auth import UserContext
|
||||
from app.modules.orders.schemas import (
|
||||
@@ -32,7 +33,7 @@ logger = logging.getLogger(__name__)
|
||||
vendor_exceptions_router = APIRouter(
|
||||
prefix="/order-exceptions",
|
||||
tags=["Vendor Order Item Exceptions"],
|
||||
dependencies=[Depends(require_module_access("orders"))],
|
||||
dependencies=[Depends(require_module_access("orders", FrontendType.VENDOR))],
|
||||
)
|
||||
|
||||
|
||||
|
||||
@@ -34,6 +34,7 @@ from sqlalchemy.orm import Session
|
||||
from app.api.deps import get_current_vendor_api, require_module_access
|
||||
from app.core.database import get_db
|
||||
from app.modules.billing.dependencies.feature_gate import RequireFeature
|
||||
from app.modules.enums import FrontendType
|
||||
from app.modules.orders.exceptions import (
|
||||
InvoicePDFNotFoundException,
|
||||
)
|
||||
@@ -55,7 +56,7 @@ from app.modules.orders.schemas import (
|
||||
|
||||
vendor_invoices_router = APIRouter(
|
||||
prefix="/invoices",
|
||||
dependencies=[Depends(require_module_access("orders"))],
|
||||
dependencies=[Depends(require_module_access("orders", FrontendType.VENDOR))],
|
||||
)
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user