From a9f168977bacd8b86c0e402ac2acb99848e23a64 Mon Sep 17 00:00:00 2001
From: Munyoki Kilyungi
Date: Tue, 1 Jul 2025 15:15:36 +0300
Subject: Add authorisation to view-diff endpoint.

Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
---
 gn3/api/case_attributes.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'gn3/api/case_attributes.py')

diff --git a/gn3/api/case_attributes.py b/gn3/api/case_attributes.py
index e0ee9a5..60e0272 100644
--- a/gn3/api/case_attributes.py
+++ b/gn3/api/case_attributes.py
@@ -337,12 +337,15 @@ def reject_case_attributes_diff(filename: str, auth_token=None) -> Response:
 @require_token
 def view_diff(inbredset_id: int, diff_id: int, auth_token=None) -> Response:
     """View a diff."""
-    with (database_connection(current_app.config["SQL_URI"]) as conn,
-          conn.cursor(cursorclass=DictCursor) as cursor):
+    try:
         required_access(
             auth_token, inbredset_id, ("system:inbredset:view-case-attribute",))
         with (database_connection(current_app.config["SQL_URI"]) as conn,
-              conn.cursor() as cursor):
+              conn.cursor(cursorclass=DictCursor) as cursor):
             return jsonify(
                 view_change(cursor, change_id)
             )
+    except AuthorisationError as __auth_err:
+        return jsonify({
+            "message": ("You don't have the right privileges to view the diffs.")
+        })
-- 
cgit 1.4.1