diff options
| author | Frederick Muriuki Muriithi | 2023-04-27 06:33:34 +0300 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2023-04-27 06:46:48 +0300 |
| commit | f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08 (patch) | |
| tree | 0f103dd33c241d78ab5b5625f875527d18db92e5 | |
| parent | 12e9f87753d5ef0d3343a2a92a824f2ace696e4e (diff) | |
| download | genenetwork3-f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08.tar.gz | |
auth: Retrieve `system:*` privileges from resource roles
With the assignment of `system:*` privileges to roles, we need to check for
their existence when doing authorisation.
This commit provides a hack for that, seeing as user groups (and the system
itself) are not treated as resources, and therefore the way to fetch the
privileges is not entirely consistent.
| -rw-r--r-- | gn3/auth/authorisation/checks.py | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py index 9b0af5f..0825c84 100644 --- a/gn3/auth/authorisation/checks.py +++ b/gn3/auth/authorisation/checks.py @@ -11,6 +11,25 @@ from .errors import AuthorisationError from ..authentication.oauth2.resource_server import require_oauth +def __system_privileges_in_roles__(conn, user): + """ + This really is a hack since groups are not treated as resources at the + moment of writing this. + + We need a way of allowing the user to have the system:group:* privileges. + """ + query = ( + "SELECT DISTINCT p.* FROM users AS u " + "INNER JOIN group_user_roles_on_resources AS guror " + "ON u.user_id=guror.user_id " + "INNER JOIN roles AS r ON guror.role_id=r.role_id " + "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id " + "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id " + "WHERE u.user_id=? AND p.privilege_id LIKE 'system:%'") + with db.cursor(conn) as cursor: + cursor.execute(query, (str(user.user_id),)) + return (row["privilege_id"] for row in cursor.fetchall()) + def authorised_p( privileges: tuple[str, ...], error_description: str = ( @@ -28,7 +47,9 @@ def authorised_p( with db.connection(app.config["AUTH_DB"]) as conn: user_privileges = tuple( priv.privilege_id for priv in - auth_privs.user_privileges(conn, the_user)) + auth_privs.user_privileges(conn, the_user)) + tuple( + priv_id for priv_id in + __system_privileges_in_roles__(conn, the_user)) not_assigned = [ priv for priv in privileges if priv not in user_privileges] |