From 18164f11048cd561663154a311577a5cfb9d29ac Mon Sep 17 00:00:00 2001
From: Justin Terry <justin.terry@wri.org>
Date: Fri, 10 May 2024 10:04:36 -0700
Subject: [PATCH] Check for ADMIN before DB call in get_owner

---
 app/routes/datasets/dataset.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/routes/datasets/dataset.py b/app/routes/datasets/dataset.py
index fb46fb21d..c1a50a2a7 100644
--- a/app/routes/datasets/dataset.py
+++ b/app/routes/datasets/dataset.py
@@ -28,12 +28,15 @@
 async def get_owner(
     dataset: str = Depends(dataset_dependency), user: User = Depends(get_manager)
 ) -> User:
-    """Retrieves the user object that owns the dataset if that user is the one
-    making the request, otherwise raises a 401."""
+    """Returns the User making the request as long as that user is an admin or
+    the owner of the dataset, otherwise raises a 401."""
+
+    if user.role == "ADMIN":
+        return user
 
     dataset_row: ORMDataset = await datasets.get_dataset(dataset)
     owner: str = dataset_row.owner_id
-    if owner != user.id and user.role != "ADMIN":
+    if owner != user.id:
         raise HTTPException(status_code=401, detail="Unauthorized")
     return user