Auth for edit games

routes/games.py

@@ -1,5 +1,5 @@
 from sqlalchemy.ext.asyncio import AsyncSession
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException, status
 
 import database as db
 from file_handler import *
@@ -33,11 +33,29 @@ async def get_game(game_id: int, db_session: AsyncSession = Depends(db.get_sessi
 @games_router.put("/{game_id}", response_model=db.Game)
 async def edit_game(game_id: int,
                     game: db.GameCreate,
+                    user: db.User = Depends(get_user),
                     db_session: AsyncSession = Depends(db.get_session)):
+    game_db = await db.get_game(db_session, game_id)
+    if (game_db is None):
+        raise HTTPException(status.HTTP_404_NOT_FOUND,
+                            detail=f"Game with id={game_id} not found")
+    if (user.id != game_db.owner_id):
+        raise HTTPException(status.HTTP_401_UNAUTHORIZED,
+                            detail=f"Game can only be edited "
+                            "by the owner (creator)")
     return await db.edit_game(db_session, game_id, game)
 
 
 @games_router.delete("/{game_id}", response_model=db.Game)
 async def delete_game(game_id: int,
+                      user: db.User = Depends(get_user),
                       db_session: AsyncSession = Depends(db.get_session)):
+    game_db = await db.get_game(db_session, game_id)
+    if (game_db is None):
+        raise HTTPException(status.HTTP_404_NOT_FOUND,
+                            detail=f"Game with id={game_id} not found")
+    if (user.id != game_db.owner_id):
+        raise HTTPException(status.HTTP_401_UNAUTHORIZED,
+                            detail=f"Game can only be deleted "
+                            "by the owner (creator)")
     return await db.delete_game(db_session, game_id)