Use exception class Forbidden to raise 403 errors.

backend/api/campaigns/resources.py

@@ -1,6 +1,7 @@
 from flask_restful import Resource, request, current_app
 from schematics.exceptions import DataError
 
+from backend.exceptions import Forbidden
 from backend.models.dtos.campaign_dto import CampaignDTO, NewCampaignDTO
 from backend.services.campaign_service import CampaignService
 from backend.services.organisation_service import OrganisationService
@@ -115,15 +116,11 @@ def patch(self, campaign_id):
             500:
                 description: Internal Server Error
         """
-        try:
-            orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
-                token_auth.current_user()
-            )
-            if len(orgs_dto.organisations) < 1:
-                raise ValueError("User not a Org Manager")
-        except ValueError as e:
-            error_msg = f"CampaignsRestAPI PATCH: {str(e)}"
-            return {"Error": error_msg, "SubCode": "UserNotPermitted"}, 403
+        orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
+            token_auth.current_user()
+        )
+        if len(orgs_dto.organisations) < 1:
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
         try:
             campaign_dto = CampaignDTO(request.get_json())
@@ -179,15 +176,11 @@ def delete(self, campaign_id):
             500:
                 description: Internal Server Error
         """
-        try:
-            orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
-                token_auth.current_user()
-            )
-            if len(orgs_dto.organisations) < 1:
-                raise ValueError("User not a Org Manager")
-        except ValueError as e:
-            error_msg = f"CampaignsRestAPI DELETE: {str(e)}"
-            return {"Error": error_msg, "SubCode": "UserNotPermitted"}, 403
+        orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
+            token_auth.current_user()
+        )
+        if len(orgs_dto.organisations) < 1:
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
         campaign = CampaignService.get_campaign(campaign_id)
         CampaignService.delete_campaign(campaign.id)
@@ -268,15 +261,11 @@ def post(self):
             500:
                 description: Internal Server Error
         """
-        try:
-            orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
-                token_auth.current_user()
-            )
-            if len(orgs_dto.organisations) < 1:
-                raise ValueError("User not a Org Manager")
-        except ValueError as e:
-            error_msg = f"CampaignsAllAPI POST: {str(e)}"
-            return {"Error": error_msg, "SubCode": "UserNotPermitted"}, 403
+        orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
+            token_auth.current_user()
+        )
+        if len(orgs_dto.organisations) < 1:
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
         try:
             campaign_dto = NewCampaignDTO(request.get_json())

backend/api/comments/resources.py

@@ -1,6 +1,7 @@
 from flask_restful import Resource, request, current_app
 from schematics.exceptions import DataError
 
+from backend.exceptions import Forbidden
 from backend.models.dtos.message_dto import ChatMessageDTO
 from backend.models.dtos.mapping_dto import TaskCommentDTO
 from backend.services.messaging.chat_service import ChatService
@@ -53,7 +54,7 @@ def post(self, project_id):
         """
         authenticated_user_id = token_auth.current_user()
         if UserService.is_user_blocked(authenticated_user_id):
-            return {"Error": "User is on read only mode", "SubCode": "ReadOnly"}, 403
+            raise Forbidden(sub_code="USER_BLOCKED")
 
         try:
             chat_dto = ChatMessageDTO(request.get_json())
@@ -67,13 +68,10 @@ def post(self, project_id):
                 "SubCode": "InvalidData",
             }, 400
 
-        try:
-            project_messages = ChatService.post_message(
-                chat_dto, project_id, authenticated_user_id
-            )
-            return project_messages.to_primitive(), 201
-        except ValueError as e:
-            return {"Error": str(e).split("-")[1], "SubCode": str(e).split("-")[0]}, 403
+        project_messages = ChatService.post_message(
+            chat_dto, project_id, authenticated_user_id
+        )
+        return project_messages.to_primitive(), 201
 
     def get(self, project_id):
         """
@@ -155,13 +153,10 @@ def delete(self, project_id, comment_id):
                 description: Internal Server Error
         """
         authenticated_user_id = token_auth.current_user()
-        try:
-            ChatService.delete_project_chat_by_id(
-                project_id, comment_id, authenticated_user_id
-            )
-            return {"Success": "Comment deleted"}, 200
-        except ValueError as e:
-            return {"Error": str(e).split("-")[1], "SubCode": str(e).split("-")[0]}, 403
+        ChatService.delete_project_chat_by_id(
+            project_id, comment_id, authenticated_user_id
+        )
+        return {"Success": "Comment deleted"}, 200
 
 
 class CommentsTasksRestAPI(Resource):
@@ -222,7 +217,7 @@ def post(self, project_id, task_id):
         """
         authenticated_user_id = token_auth.current_user()
         if UserService.is_user_blocked(authenticated_user_id):
-            return {"Error": "User is on read only mode", "SubCode": "ReadOnly"}, 403
+            raise Forbidden(sub_code="USER_BLOCKED")
 
         try:
             task_comment = TaskCommentDTO(request.get_json())
@@ -234,11 +229,8 @@ def post(self, project_id, task_id):
             current_app.logger.error(f"Error validating request: {str(e)}")
             return {"Error": "Unable to add comment", "SubCode": "InvalidData"}, 400
 
-        try:
-            task = MappingService.add_task_comment(task_comment)
-            return task.to_primitive(), 201
-        except MappingServiceError:
-            return {"Error": "Task update failed"}, 403
+        task = MappingService.add_task_comment(task_comment)
+        return task.to_primitive(), 201
 
     def get(self, project_id, task_id):
         """

backend/api/interests/resources.py

@@ -1,6 +1,7 @@
 from flask_restful import Resource, current_app, request
 from schematics.exceptions import DataError
 
+from backend.exceptions import Forbidden
 from backend.models.dtos.interests_dto import InterestDTO
 from backend.services.interests_service import InterestService
 from backend.services.organisation_service import OrganisationService
@@ -9,6 +10,7 @@
 from sqlalchemy.exc import IntegrityError
 
 INTEREST_NOT_FOUND = "Interest Not Found"
+# FLAGGED FOR PERMISSIONS REVIEW
 
 
 class InterestsAllAPI(Resource):
@@ -49,15 +51,11 @@ def post(self):
             500:
                 description: Internal Server Error
         """
-        try:
-            orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
-                token_auth.current_user()
-            )
-            if len(orgs_dto.organisations) < 1:
-                raise ValueError("User not a Org Manager")
-        except ValueError as e:
-            error_msg = f"InterestsAllAPI POST: {str(e)}"
-            return {"Error": error_msg, "SubCode": "UserNotPermitted"}, 403
+        orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
+            token_auth.current_user()
+        )
+        if len(orgs_dto.organisations) < 1:
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
         try:
             interest_dto = InterestDTO(request.get_json())
@@ -133,15 +131,12 @@ def get(self, interest_id):
             500:
                 description: Internal Server Error
         """
-        try:
-            orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
-                token_auth.current_user()
-            )
-            if len(orgs_dto.organisations) < 1:
-                raise ValueError("User not a Org Manager")
-        except ValueError as e:
-            error_msg = f"InterestsRestAPI GET: {str(e)}"
-            return {"Error": error_msg, "SubCode": "UserNotPermitted"}, 403
+        # FLAGGED
+        orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
+            token_auth.current_user()
+        )
+        if len(orgs_dto.organisations) < 1:
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
         interest = InterestService.get(interest_id)
         return interest.to_primitive(), 200
@@ -191,15 +186,11 @@ def patch(self, interest_id):
             500:
                 description: Internal Server Error
         """
-        try:
-            orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
-                token_auth.current_user()
-            )
-            if len(orgs_dto.organisations) < 1:
-                raise ValueError("User not a Org Manager")
-        except ValueError as e:
-            error_msg = f"InterestsRestAPI PATCH: {str(e)}"
-            return {"Error": error_msg, "SubCode": "UserNotPermitted"}, 403
+        orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
+            token_auth.current_user()
+        )
+        if len(orgs_dto.organisations) < 1:
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
         try:
             interest_dto = InterestDTO(request.get_json())
@@ -245,15 +236,11 @@ def delete(self, interest_id):
             500:
                 description: Internal Server Error
         """
-        try:
-            orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
-                token_auth.current_user()
-            )
-            if len(orgs_dto.organisations) < 1:
-                raise ValueError("User not a Org Manager")
-        except ValueError as e:
-            error_msg = f"InterestsRestAPI DELETE: {str(e)}"
-            return {"Error": error_msg, "SubCode": "UserNotPermitted"}, 403
+        orgs_dto = OrganisationService.get_organisations_managed_by_user_as_dto(
+            token_auth.current_user()
+        )
+        if len(orgs_dto.organisations) < 1:
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
         InterestService.delete(interest_id)
         return {"Success": "Interest deleted"}, 200

backend/api/notifications/resources.py

@@ -1,8 +1,5 @@
 from flask_restful import Resource, request
-from backend.services.messaging.message_service import (
-    MessageService,
-    MessageServiceError,
-)
+from backend.services.messaging.message_service import MessageService
 from backend.services.notification_service import NotificationService
 from backend.services.users.authentication_service import token_auth, tm
 
@@ -41,13 +38,10 @@ def get(self, message_id):
             500:
                 description: Internal Server Error
         """
-        try:
-            user_message = MessageService.get_message_as_dto(
-                message_id, token_auth.current_user()
-            )
-            return user_message.to_primitive(), 200
-        except MessageServiceError as e:
-            return {"Error": str(e).split("-")[1], "SubCode": str(e).split("-")[0]}, 403
+        user_message = MessageService.get_message_as_dto(
+            message_id, token_auth.current_user()
+        )
+        return user_message.to_primitive(), 200
 
     @tm.pm_only(False)
     @token_auth.login_required
@@ -82,11 +76,8 @@ def delete(self, message_id):
             500:
                 description: Internal Server Error
         """
-        try:
-            MessageService.delete_message(message_id, token_auth.current_user())
-            return {"Success": "Message deleted"}, 200
-        except MessageServiceError as e:
-            return {"Error": str(e).split("-")[1], "SubCode": str(e).split("-")[0]}, 403
+        MessageService.delete_message(message_id, token_auth.current_user())
+        return {"Success": "Message deleted"}, 200
 
 
 class NotificationsAllAPI(Resource):

backend/api/organisations/campaigns.py

@@ -1,5 +1,6 @@
 from flask_restful import Resource
 
+from backend.exceptions import Forbidden
 from backend.services.campaign_service import CampaignService
 from backend.services.organisation_service import OrganisationService
 from backend.services.users.authentication_service import token_auth
@@ -63,10 +64,7 @@ def post(self, organisation_id, campaign_id):
             )
             return {"Success": message}, 200
         else:
-            return {
-                "Error": "User is not a manager of the organisation",
-                "SubCode": "UserNotPermitted",
-            }, 403
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")
 
     def get(self, organisation_id):
         """
@@ -149,7 +147,4 @@ def delete(self, organisation_id, campaign_id):
                 200,
             )
         else:
-            return {
-                "Error": "User is not a manager of the organisation",
-                "SubCode": "UserNotPermitted",
-            }, 403
+            raise Forbidden(sub_code="USER_NOT_ORG_MANAGER")