fix: missing awaits on permission check calls

jbriones1 · jbriones1 · commit 268fd97a51d3 · 2025-12-19T01:24:20.000-08:00
diff --git a/src/dependencies.py b/src/dependencies.py
@@ -34,7 +34,9 @@ async def logged_in_user(db_session: database.DBSession, session_id: Annotated[s
 
 
 async def perm_election(db_session: database.DBSession, computing_id: LoggedInUser) -> str:
-    if not is_user_website_admin(computing_id, db_session) or is_user_election_officer(computing_id, db_session):
+    if not await is_user_website_admin(computing_id, db_session) or not await is_user_election_officer(
+        computing_id, db_session
+    ):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="must be an election admin")
 
     return computing_id
@@ -44,7 +46,7 @@ async def perm_election(db_session: database.DBSession, computing_id: LoggedInUs
 
 
 async def perm_admin(db_session: database.DBSession, computing_id: LoggedInUser):
-    if not is_user_website_admin(computing_id, db_session):
+    if not await is_user_website_admin(computing_id, db_session):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="must be an admin")
 
     return computing_id
diff --git a/src/officers/urls.py b/src/officers/urls.py
@@ -137,7 +137,7 @@ async def get_officer_info(
     session_computing_id: LoggedInUser,
     computing_id: str,
 ):
-    if computing_id != session_computing_id and not is_user_website_admin(session_computing_id, db_session):
+    if computing_id != session_computing_id and not await is_user_website_admin(session_computing_id, db_session):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="not authorized")
 
     officer_info = await officers.crud.get_officer_info_or_raise(db_session, computing_id)
diff --git a/src/utils/permissions.py b/src/utils/permissions.py
@@ -81,9 +81,6 @@ async def get_admin(request: Request, db_session: database.DBSession, admin_type
     return (session_id, computing_id)
 
 
-async def verify_update(request: Request, db_session: database.DBSession, computing_id: str) -> tuple[str, str]:
-    session_id, session_computing_id = await get_user(request, db_session)
-    if computing_id != session_computing_id and not is_user_website_admin(computing_id, db_session):
+async def verify_update(computing_id: str, db_session: database.DBSession, target_id: str):
+    if target_id != computing_id and not await is_user_website_admin(computing_id, db_session):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="must be an admin")
-
-    return (session_id, session_computing_id)
