Secu: verif permissions can_view/can_edit sur endpoints HTMX detail/edit

app/routers/audit.py

@@ -117,6 +117,9 @@ async def audit_detail(request: Request, audit_id: int, db=Depends(get_db)):
     user = get_current_user(request)
     if not user:
         return HTMLResponse("<p>Non autorisé</p>")
+    from ..dependencies import get_user_perms, can_view
+    if not can_view(get_user_perms(db, user), "audit"):
+        return HTMLResponse("<p>Non autorisé</p>")
     entry = db.execute(text("SELECT * FROM server_audit WHERE id = :id"),
                        {"id": audit_id}).fetchone()
     if not entry:

app/routers/servers.py

@@ -98,6 +98,9 @@ async def server_detail(request: Request, server_id: int, db=Depends(get_db)):
     user = get_current_user(request)
     if not user:
         return HTMLResponse("<p>Non autorise</p>")
+    from ..dependencies import get_user_perms, can_view
+    if not can_view(get_user_perms(db, user), "servers"):
+        return HTMLResponse("<p>Non autorise</p>")
     s = get_server_full(db, server_id)
     if not s:
         return HTMLResponse("<p>Serveur non trouve</p>")
@@ -115,6 +118,9 @@ async def server_edit(request: Request, server_id: int, db=Depends(get_db)):
     user = get_current_user(request)
     if not user:
         return HTMLResponse("<p>Non autorise</p>")
+    from ..dependencies import get_user_perms, can_edit
+    if not can_edit(get_user_perms(db, user), "servers"):
+        return HTMLResponse("<p>Non autorise</p>")
     s = get_server_full(db, server_id)
     if not s:
         return HTMLResponse("<p>Serveur non trouve</p>")