Refactor herd_yearly_report authorization check

Updated the authorization logic in the herd_yearly_report function to streamline permission checks. The previous check for user editing rights was simplified by directly using the herd ID, enhancing code clarity and maintainability. This change ensures that only authorized users can access or create yearly reports for herds, improving security and user experience.
NBISweden · Jan 3, 2025 · 4d8be9c · 4d8be9c
1 parent 413ce4d
commit 4d8be9c
Showing 1 changed file with 3 additions and 10 deletions.
diff --git a/app/herdbook.py b/app/herdbook.py
@@ -1181,12 +1181,12 @@ def verify_certificate(i_number):
 @login_required
 def herd_yearly_report(h_id):
     """Get or create yearly report for a herd."""
-    if not user.can_edit(resource_type="herd", resource_id=h_id):
-        return {"status": "error", "message": "Not authorized"}
-
     user_id = session.get("user_id", None)
     user = da.fetch_user_info(user_id)
 
+    if not user.can_edit(h_id):
+        return {"status": "error", "message": "Not authorized"}
+
     # Fetch the herd data using the existing get_herd function
     herd_data = da.get_herd(h_id, user_id)
     if not herd_data:
@@ -1200,13 +1200,6 @@ def herd_yearly_report(h_id):
             404,
         )
 
-    # Use user.can_edit with h_id (herd code)
-    if not user.can_edit(h_id):
-        return (
-            jsonify({"status": "error", "message": "Permission denied"}),
-            403,
-        )
-
     # Get the herd_id from the herd_data
     herd_id = herd_data["id"]