feat: only tenant owner can subscription. (#1770)

api/controllers/console/billing/billing.py

@@ -37,6 +37,8 @@ class Subscription(Resource):
         parser.add_argument('interval', type=str, required=True, location='args', choices=['month', 'year'])
         args = parser.parse_args()
 
+        BillingService.is_tenant_owner(current_user)
+
         return BillingService.get_subscription(args['plan'],
                                                args['interval'],
                                                current_user.email,
@@ -50,7 +52,7 @@ class Invoices(Resource):
     @account_initialization_required
     @only_edition_cloud
     def get(self):
-
+        BillingService.is_tenant_owner(current_user)
         return BillingService.get_invoices(current_user.email)
 
 

api/services/billing_service.py

@@ -1,6 +1,10 @@
 import os
+
 import requests
 
+from extensions.ext_database import db
+from models.account import TenantAccountJoin
+
 
 class BillingService:
     base_url = os.environ.get('BILLING_API_URL', 'BILLING_API_URL')
@@ -55,3 +59,15 @@ class BillingService:
         response = requests.request(method, url, json=json, params=params, headers=headers)
 
         return response.json()
+
+    @staticmethod
+    def is_tenant_owner(current_user):
+        tenant_id = current_user.current_tenant_id
+
+        join = db.session.query(TenantAccountJoin).filter(
+            TenantAccountJoin.tenant_id == tenant_id,
+            TenantAccountJoin.account_id == current_user.id
+        ).first()
+
+        if join.role != 'owner':
+            raise ValueError('Only tenant owner can perform this action')