Index: app/main.py =================================================================== --- app/main.py (revision 05f32c936f0a89e7592cb2a4eabd8d63fdeded0c) +++ app/main.py (revision be059650fd0b3ce4b0c12cb408ae0d71f73032e7) @@ -453,14 +453,63 @@ @app.post("/tags/assign/", response_model=dict) -def assign_tag_to_transaction(tag_assign: TagAssign, db: Session = Depends(get_db)): - transaction = db.query(Transaction).filter(Transaction.transaction_id == tag_assign.transaction_id).first() - tag = db.query(Tag).filter(Tag.tag_id == tag_assign.tag_id).first() - - if not transaction or not tag: - raise HTTPException(status_code=404, detail="Transaction or Tag not found") - - assignment = TagAssignedToTransaction(transaction_id=tag_assign.transaction_id, tag_id=tag_assign.tag_id) +def assign_tag_to_transaction( + tag_assign: TagAssign, + user: User = Depends(get_current_user), + db: Session = Depends(get_db) +): + """ + Assign a tag to a transaction only if: + - The transaction belongs to the logged-in user. + - The tag is accessible to the logged-in user (created by them or accessible via a transaction). + """ + # Ensure the transaction belongs to the logged-in user + transaction = ( + db.query(Transaction) + .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id) + .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id) + .filter(Transaction.transaction_id == tag_assign.transaction_id) + .filter(TransactionAccount.user_id == user.user_id) + .first() + ) + if not transaction: + raise HTTPException(status_code=404, detail="Transaction not found or access denied.") + + # Ensure the tag is accessible to the logged-in user + tag_accessible = ( + db.query(Tag) + .join(TagAssignedToTransaction, Tag.tag_id == TagAssignedToTransaction.tag_id, isouter=True) + .join(Transaction, TagAssignedToTransaction.transaction_id == Transaction.transaction_id, isouter=True) + .join(TransactionBreakdown, Transaction.transaction_id == TransactionBreakdown.transaction_id, isouter=True) + .join(TransactionAccount, TransactionBreakdown.transaction_account_id == TransactionAccount.transaction_account_id, isouter=True) + .filter(Tag.tag_id == tag_assign.tag_id) + .filter( + (TransactionAccount.user_id == user.user_id) | # Tag linked to the user's transactions + (TransactionAccount.user_id.is_(None)) # Newly created tag not yet assigned + ) + .first() + ) + if not tag_accessible: + raise HTTPException(status_code=404, detail="Access denied to the tag.") + + # Check if the tag is already assigned to the transaction + existing_assignment = ( + db.query(TagAssignedToTransaction) + .filter( + TagAssignedToTransaction.transaction_id == tag_assign.transaction_id, + TagAssignedToTransaction.tag_id == tag_assign.tag_id, + ) + .first() + ) + if existing_assignment: + raise HTTPException(status_code=400, detail="Tag already assigned to this transaction.") + + # Assign the tag to the transaction + assignment = TagAssignedToTransaction( + transaction_id=tag_assign.transaction_id, + tag_id=tag_assign.tag_id, + ) db.add(assignment) db.commit() + return {"message": "Tag assigned to transaction successfully"} Index: cli/cli_app.py =================================================================== --- cli/cli_app.py (revision 05f32c936f0a89e7592cb2a4eabd8d63fdeded0c) +++ cli/cli_app.py (revision be059650fd0b3ce4b0c12cb408ae0d71f73032e7) @@ -361,4 +361,6 @@ def assign_tag_to_transaction(): + headers = {"Authorization": f"Bearer {access_token}"} + print("\nAssign Tag to Transaction") transaction_id = int(input("Enter transaction ID: ")) @@ -368,5 +370,5 @@ "transaction_id": transaction_id, "tag_id": tag_id - }) + }, headers=headers) if response.status_code == 200: