From a543d9c60cb6a2428a733d71976505a64e39267e Mon Sep 17 00:00:00 2001
From: Alexandre Pulido <apulido@free.fr>
Date: Thu, 2 May 2024 00:45:04 +0200
Subject: [PATCH] fix routes permissions

---
 app/app.py  | 10 ++++++++--
 app/auth.py |  1 -
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/app.py b/app/app.py
index a0f35de..9061e72 100644
--- a/app/app.py
+++ b/app/app.py
@@ -22,6 +22,7 @@ def init():
 app.config["SQLALCHEMY_DATABASE_URI"] = OWNFOIL_DB
 # TODO: generate random secret_key
 app.config['SECRET_KEY'] = '8accb915665f11dfa15c2db1a4e8026905f57716'
+app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
 
 db.init_app(app)
 
@@ -85,11 +86,13 @@ def settings_page():
     return render_template('settings.html', title='Settings', languages_from_titledb=languages, admin_account_created=admin_account_created(), valid_keys=app_settings['valid_keys'])
 
 @app.get('/api/settings')
+@access_required('admin')
 def get_settings_api():
     reload_conf()
     return jsonify(app_settings)
 
 @app.post('/api/settings/<string:section>')
+@access_required('admin')
 def set_settings_api(section=None):
     data = request.json
     settings_valid, errors = verify_settings(section, data)
@@ -110,6 +113,7 @@ def allowed_file(filename):
            filename.rsplit('.', 1)[1].lower() in ['keys', 'txt']
 
 @app.post('/api/upload')
+@access_required('admin')
 def upload_file():
     errors = []
     success = False
@@ -136,6 +140,7 @@ def upload_file():
     return jsonify(resp)
 
 @app.route('/api/titles', methods=['GET'])
+@access_required('shop')
 def get_all_titles():
     titles = get_all_titles_from_db()
     games_info = []
@@ -180,6 +185,7 @@ def get_all_titles():
     return sorted(games_info, key=lambda x: ("title_id_name" not in x, x.get("title_id_name", None), x['app_id']))
 
 @app.route('/api/get_game/<int:id>')
+@access_required('shop')
 def serve_game(id):
     filepath = db.session.query(Files.filepath).filter_by(id=id).first()[0]
     filedir, filename = os.path.split(filepath)
@@ -238,11 +244,11 @@ def get_library_status(title_id):
     game_latest_version = get_game_latest_version(available_versions)
     for version in available_versions:
         if len(list(filter(lambda x: x.get('type') == APP_TYPE_UPD and str(x.get('version')) == str(version['version']), title_files))):
-            version['has_version'] = True
+            version['owned'] = True
             if str(version['version'])  == str(game_latest_version):
                 has_latest_version = True
         else:
-            version['has_version'] = False
+            version['owned'] = False
 
     all_existing_dlcs = get_all_existing_dlc(title_id)
     owned_dlcs = [t['app_id'] for t in title_files if t['type'] == APP_TYPE_DLC]
diff --git a/app/auth.py b/app/auth.py
index 5fa3002..273bc9b 100644
--- a/app/auth.py
+++ b/app/auth.py
@@ -86,7 +86,6 @@ def basic_auth(request):
 login_manager = LoginManager()
 login_manager.login_view = 'auth.login'
 
-@auth_blueprint.route('/login')
 
 @auth_blueprint.route("/login", methods=["GET", "POST"])
 def login():