Fix logic that determines who can delete a group secret

tapis-project · Sep 12, 2024 · 65bdf1b · 65bdf1b
1 parent 129d48b
commit 65bdf1b
Showing 1 changed file with 28 additions and 27 deletions.
diff --git a/src/api/src/backend/views/GroupSecrets.py b/src/api/src/backend/views/GroupSecrets.py
@@ -94,47 +94,48 @@ def post(self, request, group_id, *_, **__):
                 group=group,
                 secret=secret
             )
+
+            return BaseResponse(result=GroupSecretSerializer.serialize(group_secret))
+
         except (IntegrityError, OperationalError, DatabaseError) as e:
             return BadRequest(message=e.__cause__)
         except Exception as e:
             logger.exception(e.__cause__)
             return ServerError(f"{e}")
 
-        return BaseResponse(result=GroupSecretSerializer.serialize(group_secret))
-
     def put(self, *_, **__):
         return MethodNotAllowed("Method 'PUT' not allowed for 'GroupSecret' objects")
 
     def patch(self, *_, **__):
         return MethodNotAllowed("Method 'PATCH' not allowed for 'GroupSecret' objects")
 
     def delete(self, request, group_id, group_secret_id):
-        # Get the group
-        group = group_service.get(group_id, request.tenant_id)
-        if group == None:
-            return NotFound(f"No group found with id '{group_id}'")
-
-        # Check that the user belongs to the group
-        if not group_service.user_in_group(request.username, group_id, request.tenant_id):
-            return Forbidden(message="You do not have access to this group")
-
-        # Get the group secret
-        group_secret = GroupSecret.objects.filter(
-            group=group,
-            id=group_secret_id
-        ).prefetch_related("secret").first()
-
-        if group_secret == None:
-            return NotFound(f"Secret with id '{group_secret_id}' not found in group '{group.id}'")
-
-        # Only group_secret owners can delete the group_secret
-        if (
-            request.username != group_secret.secret.owner
-            or group_service.user_in_group(request.username, group_id, request.tenant_id, is_admin=True)
-        ):
-            return Forbidden(message="Only GroupSecret owners and group admins can delete a GroupSecret")
-
         try:
+            # Get the group
+            group = group_service.get(group_id, request.tenant_id)
+            if group == None:
+                return NotFound(f"No group found with id '{group_id}'")
+
+            # Check that the user belongs to the group
+            if not group_service.user_in_group(request.username, group_id, request.tenant_id):
+                return Forbidden(message="You do not have access to this group")
+
+            # Get the group secret
+            group_secret = GroupSecret.objects.filter(
+                group=group,
+                id=group_secret_id
+            ).prefetch_related("secret").first()
+
+            if group_secret == None:
+                return NotFound(f"Secret with id '{group_secret_id}' not found in group '{group.id}'")
+
+            # Only group_secret owners can delete the group_secret
+            if (
+                request.username != group_secret.secret.owner
+                and not group_service.user_in_group(request.username, group_id, request.tenant_id, is_admin=True)
+            ):
+                return Forbidden(message="Only GroupSecret owners and group admins can delete a GroupSecret")
+
             group_secret.delete()
         except Exception as e:
             logger.exception(e.__cause__)