Merge pull request #10 from gazev/session

fix: roles management

.gitignore

@@ -4,6 +4,7 @@ __pycache__/
 
 data/flask_sessions/
 data/logs/
+data/photos/
 *.sqlite3
 
 .env

app/api/members/routes.py

@@ -260,7 +260,9 @@ def add_member_role(username):
     roles = member_service.add_member_role(member, **json_data)
     if roles is None:
         throw_api_error(HTTPStatus.NOT_FOUND, {"error": "User already has this role"})
-    session['roles'] = roles
+
+    if session.get('username', '') == member.username:
+        session['roles'] = roles
 
     return roles
 
@@ -299,6 +301,8 @@ def remove_member_role(username):
     roles = member_service.remove_member_role(member, **json_data)
     if roles is None:
         throw_api_error(HTTPStatus.NOT_FOUND, {"error": "User does not have this role"})
-    session['roles'] = roles 
+
+    if session.get('username', '') == member.username:
+        session['roles'] = roles
 
     return roles

app/roles/roles_handler.py

@@ -42,6 +42,11 @@ def has_permission(self, roles_list: List[str], permission: str):
     def has_higher_level(self, roles_list: List[str], role: str):
         """" Checks whether any role in `roles_list` has higher level than `role`. """
         _, highest_lvl = self._get_highest(roles_list)
+        print(highest_lvl)
+        print(role)
+        print(self._get_role_level(role))
+        if highest_lvl == 0:
+            return True # level 0 has all permissions
         return highest_lvl < self._get_role_level(role) # < instead of <= means we cannot add "horizontally"
 
     def init_app(self, app: Flask) -> None: