Add authorisation to view-diff endpoint.

Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
author: Munyoki Kilyungi 2025-07-01 15:15:36 +0300
committer: BonfaceKilz 2025-07-07 07:58:31 +0300
commit: a9f168977bacd8b86c0e402ac2acb99848e23a64 (patch)
tree: cc5e5707f2dccccfc374f31b0d80b9b59bbe8904 /gn3/api
parent: 58402654ab2b497a490ee78ab34beeffb9123dcf (diff)
download: genenetwork3-a9f168977bacd8b86c0e402ac2acb99848e23a64.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/gn3/api/case_attributes.py b/gn3/api/case_attributes.py
index e0ee9a5..60e0272 100644
--- a/gn3/api/case_attributes.py
+++ b/gn3/api/case_attributes.py
@@ -337,12 +337,15 @@ def reject_case_attributes_diff(filename: str, auth_token=None) -> Response:
 @require_token
 def view_diff(inbredset_id: int, diff_id: int, auth_token=None) -> Response:
     """View a diff."""
-    with (database_connection(current_app.config["SQL_URI"]) as conn,
-          conn.cursor(cursorclass=DictCursor) as cursor):
+    try:
         required_access(
             auth_token, inbredset_id, ("system:inbredset:view-case-attribute",))
         with (database_connection(current_app.config["SQL_URI"]) as conn,
-              conn.cursor() as cursor):
+              conn.cursor(cursorclass=DictCursor) as cursor):
             return jsonify(
                 view_change(cursor, change_id)
             )
+    except AuthorisationError as __auth_err:
+        return jsonify({
+            "message": ("You don't have the right privileges to view the diffs.")
+        })
author	Munyoki Kilyungi	2025-07-01 15:15:36 +0300
committer	BonfaceKilz	2025-07-07 07:58:31 +0300
commit	a9f168977bacd8b86c0e402ac2acb99848e23a64 (patch)
tree	cc5e5707f2dccccfc374f31b0d80b9b59bbe8904 /gn3/api
parent	58402654ab2b497a490ee78ab34beeffb9123dcf (diff)
download	genenetwork3-a9f168977bacd8b86c0e402ac2acb99848e23a64.tar.gz