Index: app/main.py =================================================================== --- app/main.py (revision 539afcdf7c1712c74fa34fb209688b0e17762c72) +++ app/main.py (revision 6d7089148b75092cadc113c92f51cd4c3460b799) @@ -189,4 +189,7 @@ db: Session = Depends(get_db) ): + """ + Admin can fetch all transaction accounts. + """ if not is_admin(user.email): raise HTTPException( @@ -218,5 +221,14 @@ db: Session = Depends(get_db) ): - return db.query(TransactionAccount).filter(TransactionAccount.user_id == user.user_id).all() + """ + Admin can fetch all accounts, regular users only their accounts. + """ + query = db.query(TransactionAccount) + + if is_admin(user.email): + return query.all() + + return query.filter(TransactionAccount.user_id == user.user_id).all() + @app.post("/transactions/", response_model=TransactionResponse) @@ -227,16 +239,19 @@ ): """ + Admins can create transactions for any account; regular users only for their accounts. Create a transaction and associate it with the user's accounts via breakdowns. """ - # Validate target account ownership - target_account = db.query(TransactionAccount).filter( - TransactionAccount.transaction_account_id == transaction_request.target_account_id, - TransactionAccount.user_id == user.user_id - ).first() - if not target_account: - raise HTTPException( - status_code=403, - detail="Access denied to target account." - ) + # Admin bypasses ownership checks + if not is_admin(user.email): + # Validate target account ownership + target_account = db.query(TransactionAccount).filter( + TransactionAccount.transaction_account_id == transaction_request.target_account_id, + TransactionAccount.user_id == user.user_id + ).first() + if not target_account: + raise HTTPException( + status_code=403, + detail="Access denied to target account." + ) # Create transaction @@ -403,20 +418,34 @@ ): """ - Update a transaction only if it belongs to the logged-in user. - """ - # Check if the transaction exists and belongs to the user - transaction = ( - db.query(Transaction) - .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id) - .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id) - .filter(Transaction.transaction_id == transaction_id) - .filter(TransactionAccount.user_id == user.user_id) - .first() - ) - if not transaction: - raise HTTPException( - status_code=404, - detail="Transaction not found or access denied." - ) + Admins can update any transaction + Regular users update a transaction only if it belongs to the logged-in user. + """ + query = db.query(Transaction) + + if is_admin(user.email): + transaction = ( + query + .filter(Transaction.transaction_id == transaction_id) + .first() + ) + if not transaction: + raise HTTPException( + status_code=404, + detail="Transaction not found." + ) + else: + transaction = ( + query + .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id) + .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id) + .filter(Transaction.transaction_id == transaction_id) + .filter(TransactionAccount.user_id == user.user_id) + .first() + ) + if not transaction: + raise HTTPException( + status_code=404, + detail="Transaction not found or access denied." + ) # Update transaction fields @@ -435,21 +464,34 @@ ): """ - Delete a transaction only if it belongs to the logged-in user. - """ - # Check if the transaction exists and belongs to the user - transaction = ( - db.query(Transaction) - .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id) - .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id) - .filter(Transaction.transaction_id == transaction_id) - .filter(TransactionAccount.user_id == user.user_id) - .first() - ) - - if not transaction: - raise HTTPException( - status_code=404, - detail="Transaction not found or access denied." - ) + Admins can delete any transaction + Regular users can delete a transaction only if it belongs to the logged-in user. + """ + query = db.query(Transaction) + + if is_admin(user.email): + transaction = ( + query + .filter(Transaction.transaction_id == transaction_id) + .first() + ) + if not transaction: + raise HTTPException( + status_code=404, + detail="Transaction not found." + ) + else: + transaction = ( + query + .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id) + .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id) + .filter(Transaction.transaction_id == transaction_id) + .filter(TransactionAccount.user_id == user.user_id) + .first() + ) + if not transaction: + raise HTTPException( + status_code=404, + detail="Transaction not found or access denied." + ) db.delete(transaction) @@ -532,6 +574,10 @@ ): """ - Retrieve tags accessible to the logged-in user based on their transactions. - """ + Admins can fetch all tags + Regular users can retrieve tags accessible to the logged-in user based on their transactions. + """ + if is_admin(user.email): + return db.query(Tag).all() + accessible_tags = ( db.query(Tag) @@ -553,7 +599,9 @@ ): """ - Assign a tag to a transaction only if: - - The transaction belongs to the logged-in user. - - The tag is accessible to the logged-in user (created by them or accessible via a transaction). + Assign a tag to a transaction. + - Admins can assign any tag to any transaction. + - Regular users can assign a tag if: + - The transaction belongs to them. + - The tag is accessible (created by them or linked to their transactions). """ # Ensure the transaction belongs to the logged-in user @@ -621,5 +669,7 @@ ): """ - Retrieve tags for a specific transaction if the transaction belongs to the logged-in user or if the user is an admin. + Retrieve tags for a specific transaction. + - Admins can retrieve tags for any transaction. + - Regular users can retrieve tags if the transaction belongs to them. """ # Admins can access tags for any transaction