fix: Stripe publishable key should be accessible to user (#6277)

abhinavk96 · web-flow · commit 1ef10f5936c9 · 2019-08-01T00:02:41.000+05:30
diff --git a/app/api/schema/events.py b/app/api/schema/events.py
@@ -278,6 +278,13 @@ def validate_timezone(self, data, original_data):
                                 schema='UserSchemaPublic',
                                 type_='user',
                                 many=True)
+    stripe_authorization = Relationship(attribute='stripe_authorization',
+                                        self_view='v1.stripe_authorization_event',
+                                        self_view_kwargs={'id': '<id>'},
+                                        related_view='v1.stripe_authorization_detail',
+                                        related_view_kwargs={'event_id': '<id>'},
+                                        schema='StripeAuthorizationSchema',
+                                        type_='stripe-authorization')
 
 
 class EventSchema(EventSchemaPublic):
@@ -355,10 +362,3 @@ class Meta:
                              schema='AttendeeSchema',
                              many=True,
                              type_='attendee')
-    stripe_authorization = Relationship(attribute='stripe_authorization',
-                                        self_view='v1.stripe_authorization_event',
-                                        self_view_kwargs={'id': '<id>'},
-                                        related_view='v1.stripe_authorization_detail',
-                                        related_view_kwargs={'event_id': '<id>'},
-                                        schema='StripeAuthorizationSchema',
-                                        type_='stripe-authorization')
diff --git a/app/api/schema/stripe_authorization.py b/app/api/schema/stripe_authorization.py
@@ -5,7 +5,7 @@
 from app.api.schema.base import SoftDeletionSchema
 
 
-class StripeAuthorizationSchema(SoftDeletionSchema):
+class StripeAuthorizationSchemaPublic(SoftDeletionSchema):
     """
         Stripe Authorization Schema
     """
@@ -21,7 +21,6 @@ class Meta:
 
     id = fields.Str(dump_only=True)
     stripe_publishable_key = fields.Str(dump_only=True)
-    stripe_auth_code = fields.Str(load_only=True, required=True)
 
     event = Relationship(attribute='event',
                          self_view='v1.stripe_authorization_event',
@@ -30,3 +29,22 @@ class Meta:
                          related_view_kwargs={'stripe_authorization_id': '<id>'},
                          schema="EventSchema",
                          type_='event')
+
+
+class StripeAuthorizationSchema(StripeAuthorizationSchemaPublic):
+    """
+        Stripe Authorization Schema
+    """
+
+    class Meta:
+        """
+        Meta class for StripeAuthorization Api Schema
+        """
+        type_ = 'stripe-authorization'
+        self_view = 'v1.stripe_authorization_detail'
+        self_view_kwargs = {'id': '<id>'}
+        inflect = dasherize
+
+    stripe_auth_code = fields.Str(load_only=True, required=True)
+
+
diff --git a/app/api/stripe_authorization.py b/app/api/stripe_authorization.py
@@ -2,13 +2,14 @@
 from sqlalchemy.orm.exc import NoResultFound
 
 from app.api.bootstrap import api
+from flask import request
 from app.api.helpers.db import safe_query, get_count, save_to_db
 from app.api.helpers.exceptions import ForbiddenException, ConflictException, UnprocessableEntity
 from app.api.helpers.payment import StripePaymentsManager
 from app.api.helpers.permission_manager import has_access
 from app.api.helpers.permissions import jwt_required
 from app.api.helpers.utilities import require_relationship
-from app.api.schema.stripe_authorization import StripeAuthorizationSchema
+from app.api.schema.stripe_authorization import StripeAuthorizationSchema, StripeAuthorizationSchemaPublic
 from app.models import db
 from app.models.event import Event
 from app.models.stripe_authorization import StripeAuthorization
@@ -69,7 +70,8 @@ def after_create_object(self, stripe_authorization, data, view_kwargs):
         save_to_db(event)
 
     schema = StripeAuthorizationSchema
-    decorators = (jwt_required, )
+    decorators = (api.has_permission('is_coorganizer', fetch="event_id",
+                                     fetch_as="event_id", model=StripeAuthorization),)
     methods = ['POST']
     data_layer = {'session': db.session,
                   'model': StripeAuthorization,
@@ -83,6 +85,20 @@ class StripeAuthorizationDetail(ResourceDetail):
     """
     Stripe Authorization Detail Resource by ID
     """
+
+    def before_get(self, args, kwargs):
+        """
+        method for assigning schema based on access
+        :param args:
+        :param kwargs:
+        :return:
+        """
+        kwargs = get_id(kwargs)
+        if 'Authorization' in request.headers and has_access('is_coorganizer', event_id=kwargs['id']):
+            self.schema = StripeAuthorizationSchema
+        else:
+            self.schema = StripeAuthorizationSchemaPublic
+
     def before_get_object(self, view_kwargs):
         """
         method to get id of stripe authorization related to an event
@@ -107,8 +123,7 @@ def after_delete_object(self, stripe_authorization, view_kwargs):
         event.is_stripe_linked = False
         save_to_db(event)
 
-    decorators = (api.has_permission('is_coorganizer', fetch="event_id",
-                                     fetch_as="event_id", model=StripeAuthorization),)
+    decorators = (jwt_required,)
     schema = StripeAuthorizationSchema
     data_layer = {'session': db.session,
                   'model': StripeAuthorization,
@@ -123,8 +138,25 @@ class StripeAuthorizationRelationship(ResourceDetail):
     Stripe Authorization Relationship
     """
 
-    decorators = (api.has_permission('is_coorganizer', fetch="event_id",
-                                     fetch_as="event_id", model=StripeAuthorization),)
+    decorators = (jwt_required,)
     schema = StripeAuthorizationSchema
     data_layer = {'session': db.session,
                   'model': StripeAuthorization}
+
+
+def get_id(view_kwargs):
+    """
+    method to get the resource id for fetching details
+    :param view_kwargs:
+    :return:
+    """
+
+    if view_kwargs.get('event_identifier') is not None:
+        event = safe_query(db, Event, 'identifier', view_kwargs['event_identifier'], 'event_identifier')
+        if event.id is not None:
+            view_kwargs['event_id'] = event.id
+
+    if view_kwargs.get('event_id') is not None:
+        stripe_authorization = safe_query(db, StripeAuthorization, 'event_id', view_kwargs['event_id'], 'event_id')
+        view_kwargs['id'] = stripe_authorization.id
+    return view_kwargs
