Index: app/main.py =================================================================== --- app/main.py (revision 58300d6b3925a17ea8fe81365ae6a54f14a6905d) +++ app/main.py (revision 6bb334f21463eb80533eaf85fdffaa2de8f8d967) @@ -287,9 +287,26 @@ @app.put("/transactions/{transaction_id}", response_model=TransactionResponse) -def update_transaction(transaction_id: int, transaction_update: TransactionUpdate, db: Session = Depends(get_db)): - transaction = db.query(Transaction).filter(Transaction.transaction_id == transaction_id).first() +def update_transaction( + transaction_id: int, + transaction_update: TransactionUpdate, + user: User = Depends(get_current_user), + db: Session = Depends(get_db) +): + """ + Update a transaction only if it belongs to the logged-in user. + """ + # Check if the transaction exists and belongs to the user + transaction = ( + db.query(Transaction) + .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id) + .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id) + .filter(Transaction.transaction_id == transaction_id) + .filter(TransactionAccount.user_id == user.user_id) + .first() + ) if not transaction: - raise HTTPException(status_code=404, detail="Transaction not found") - + raise HTTPException(status_code=404, detail="Transaction not found or access denied.") + + # Update transaction fields for key, value in transaction_update.dict(exclude_unset=True).items(): setattr(transaction, key, value) @@ -300,8 +317,24 @@ @app.delete("/transactions/{transaction_id}") -def delete_transaction(transaction_id: int, db: Session = Depends(get_db)): - transaction = db.query(Transaction).filter(Transaction.transaction_id == transaction_id).first() +def delete_transaction( + transaction_id: int, + user: User = Depends(get_current_user), + db: Session = Depends(get_db) +): + """ + Delete a transaction only if it belongs to the logged-in user. + """ + # Check if the transaction exists and belongs to the user + transaction = ( + db.query(Transaction) + .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id) + .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id) + .filter(Transaction.transaction_id == transaction_id) + .filter(TransactionAccount.user_id == user.user_id) + .first() + ) + if not transaction: - raise HTTPException(status_code=404, detail="Transaction not found") + raise HTTPException(status_code=404, detail="Transaction not found or access denied.") db.delete(transaction) Index: cli/cli_app.py =================================================================== --- cli/cli_app.py (revision 58300d6b3925a17ea8fe81365ae6a54f14a6905d) +++ cli/cli_app.py (revision 6bb334f21463eb80533eaf85fdffaa2de8f8d967) @@ -285,4 +285,6 @@ def modify_transaction(): + headers = {"Authorization": f"Bearer {access_token}"} + print("\nModify Transaction") transaction_id = int(input("Enter transaction ID to modify: ")) @@ -292,4 +294,5 @@ date = input("Enter new date (YYYY-MM-DDTHH:MM:SS+HH:MM) (or leave blank): ") + # Build the request payload data = {} if transaction_name: @@ -302,5 +305,6 @@ data["date"] = date - response = requests.put(f"{BASE_URL}/transactions/{transaction_id}", json=data) + # Make the PUT request with the Authorization header + response = requests.put(f"{BASE_URL}/transactions/{transaction_id}", json=data, headers=headers) if response.status_code == 200: @@ -308,11 +312,14 @@ else: print("Failed to modify transaction.") - print(f"Error: {response.json().get('detail', 'Unknown error')}") + error_message = response.json().get('detail', 'Unknown error') + print(f"Error: {error_message}") def delete_transaction(): + headers = {"Authorization": f"Bearer {access_token}"} + print("\nDelete Transaction") transaction_id = int(input("Enter transaction ID to delete: ")) - response = requests.delete(f"{BASE_URL}/transactions/{transaction_id}") + response = requests.delete(f"{BASE_URL}/transactions/{transaction_id}", headers=headers) if response.status_code == 200: @@ -320,5 +327,6 @@ else: print("Failed to delete transaction.") - print(f"Error: {response.json().get('detail', 'Unknown error')}") + error_message = response.json().get('detail', 'Unknown error') + print(f"Error: {error_message}") def add_tag():