fix: auth issues in fulltext screenings (#204)

bdewilde · web-flow · commit 31ac754752cc · 2026-02-26T18:59:15.000-05:00
diff --git a/colandr/api/v1/routes/fulltext_screenings.py b/colandr/api/v1/routes/fulltext_screenings.py
@@ -9,8 +9,7 @@
 
 from .... import models, tasks
 from ....extensions import db
-from ....utils import assign_status
-from .. import errors, schemas
+from .. import authz, errors, schemas
 
 
 bp = af.APIBlueprint("fulltext_screenings", __name__, url_prefix="/fulltexts")
@@ -37,15 +36,7 @@ def get(self, id, query_data):
         if not study:
             raise errors.NotFoundError(message=f"<Study(id={id})> not found")
 
-        if (
-            current_user.is_admin is False
-            and db.session.execute(
-                current_user.review_user_assoc.select().filter_by(
-                    review_id=study.review_id
-                )
-            ).one_or_none()
-            is None
-        ):
+        if not authz.user_is_allowed_for_review(current_user, study.review_id):
             raise errors.ForbiddenError(
                 message=f"{current_user} forbidden to get fulltext screenings for this review"
             )
@@ -92,15 +83,9 @@ def post(self, id, json_data):
         if not study:
             raise errors.NotFoundError(message=f"<Fulltext(id={id})> not found")
 
-        if (
-            current_user.is_admin is False
-            and db.session.execute(
-                current_user.review_user_assoc.select().filter_by(
-                    review_id=study.review_id
-                )
-            ).one_or_none()
-            is None
-        ) or study.review.status == "frozen":
+        if not authz.user_is_allowed_for_review(
+            current_user, study.review_id, if_frozen=False
+        ):
             raise errors.ForbiddenError(
                 message=f"{current_user} forbidden to screen fulltexts for this review"
             )
@@ -212,6 +197,7 @@ def put(self, id, json_data):
             403: "current app user forbidden to delete fulltext screening; has not screened fulltext, so nothing to delete",
             404: "no fulltext matching id was found",
         },
+        security="TokenAuth",
     )
     @bp.output({}, 204)
     @jwtext.jwt_required(fresh=True)
@@ -222,14 +208,9 @@ def delete(self, id):
         if not study:
             raise errors.NotFoundError(message=f"<Study(id={id})> not found")
 
-        if (
-            db.session.execute(
-                current_user.review_user_assoc.select().filter_by(
-                    review_id=study.review_id
-                )
-            ).one_or_none()
-            is None
-        ) or study.review.status == "frozen":
+        if not authz.user_is_allowed_for_review(
+            current_user, study.review_id, if_frozen=False
+        ):
             raise errors.ForbiddenError(
                 message=f"{current_user} forbidden to delete fulltext screening for this review"
             )
