diff options
| author | Frederick Muriuki Muriithi | 2025-07-29 09:43:33 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2025-07-29 10:15:14 -0500 |
| commit | 5c0b9077320d62ac26685dc37291c18d3670fb98 (patch) | |
| tree | d3bd9a4d44803473fce41efab2c3facdb68a10ef | |
| parent | 065d97043611b0892dc56b813db87d943c67ec7d (diff) | |
| download | gn-auth-5c0b9077320d62ac26685dc37291c18d3670fb98.tar.gz | |
Add system-wide resource-access privileges for system administrators
System administrators need to access, and modify the resources in the
system, and to do that, we need to grant them specific privileges to
check against.
These privileges act on the wrapper resource objects, not necessarily
the data attached to the resource object.
| -rw-r--r-- | gn_auth/auth/authorisation/resources/views.py | 1 | ||||
| -rw-r--r-- | migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py | 31 |
2 files changed, 31 insertions, 1 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py index f497219..b52e972 100644 --- a/gn_auth/auth/authorisation/resources/views.py +++ b/gn_auth/auth/authorisation/resources/views.py @@ -684,7 +684,6 @@ def delete_resource() -> Response: form = request_json() try: resource_id = UUID(form.get("resource_id")) - # TODO Add migrations to set up new privileges (system:resource:*) # TODO Add migrations to grant privileges (system:resource:*) to admin users # TODO Update resource creation to grant privileges (system:resource:*) to admin users # TODO Update user-levels promotion/demotion to grant/revoke (system:resource:*) to/from admin users diff --git a/migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py b/migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py new file mode 100644 index 0000000..be0d022 --- /dev/null +++ b/migrations/auth/20250729_01_CNn2p-create-initial-system-wide-resources-access-privileges.py @@ -0,0 +1,31 @@ +""" +Create initial system-wide resources access privileges +""" + +from yoyo import step + +__depends__ = {'20250722_02_M8TXv-add-system-user-edit-privilege-to-system-admin-role'} + +steps = [ + step( + """ + INSERT INTO privileges(privilege_id, privilege_description) + VALUES + ("system:resource:view", + "View the wrapper resource object (not attached data). This is mostly for administration purposes."), + ("system:resource:edit", + "Edit/update the wrapper resource object (not attached data). This is mostly for administration purposes."), + ("system:resource:delete", + "Delete the wrapper resource object (not attached data). This is mostly for administration purposes."), + ("system:resource:reassign-group", + "Reassign the resource, and its data, to a different user group."), + ("system:resource:assign-owner", + "Assign ownership of any resource to any user.") + """, + """ + DELETE FROM privileges WHERE privilege_id IN + ("system:resource:view", "system:resource:edit", + "system:resource:delete", "system:resource:reassign-group", + "system:resource:assign-owner") + """) +] |