diff options
| author | Frederick Muriuki Muriithi | 2025-07-30 12:55:45 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2025-07-30 12:55:45 -0500 |
| commit | 5e52399c327ca04214ec0aab1af966f05fb899bb (patch) | |
| tree | 2dddf5dbcc8858d776cb7fcd45d54a38c4f2d09f | |
| parent | 75bbf11386457e2f366e3c38c4e8d729b542de55 (diff) | |
| download | gn-auth-5e52399c327ca04214ec0aab1af966f05fb899bb.tar.gz | |
Provide endpoint to remove a group member.
| -rw-r--r-- | gn_auth/auth/authorisation/resources/groups/views.py | 54 |
1 files changed, 53 insertions, 1 deletions
diff --git a/gn_auth/auth/authorisation/resources/groups/views.py b/gn_auth/auth/authorisation/resources/groups/views.py index 28f0645..bfb4c80 100644 --- a/gn_auth/auth/authorisation/resources/groups/views.py +++ b/gn_auth/auth/authorisation/resources/groups/views.py @@ -18,9 +18,13 @@ from gn_auth.auth.db.sqlite3 import with_db_connection from gn_auth.auth.authorisation.privileges import privileges_by_ids from gn_auth.auth.errors import InvalidData, NotFoundError, AuthorisationError -from gn_auth.auth.authentication.users import User +from gn_auth.auth.authentication.users import User, user_by_id from gn_auth.auth.authentication.oauth2.resource_server import require_oauth +from gn_auth.auth.authorisation.resources.checks import authorised_for_spec +from gn_auth.auth.authorisation.resources.groups.models import (resource_from_group, + remove_user_from_group) + from .data import link_data_to_group from .models import (Group, GroupRole, @@ -408,3 +412,51 @@ def view_group_leaders(group_id: uuid.UUID) -> Response: with (require_oauth.acquire("profile group") as _token, db.connection(current_app.config["AUTH_DB"]) as conn): return jsonify(tuple(group_leaders(conn, group_id))) + + +@groups.route("/<uuid:group_id>/remove-member", methods=["POST"]) +@require_oauth("profile group") +def remove_group_member(group_id: uuid.UUID): + """Remove a user as member of this group.""" + with (require_oauth.acquire("profile group") as _token, + db.connection(current_app.config["AUTH_DB"]) as conn): + group = group_by_id(conn, group_id) + grp_resource = resource_from_group(conn, group) + if not authorised_for_spec( + conn, + _token.user.user_id, + grp_resource.resource_id, + "(OR group:user:remove-group-member system:group:remove-group-member)"): + raise AuthorisationError( + "You do not have appropriate privileges to remove a user from this " + "group.") + + form = request_json() + if not bool(form.get("user_id")): + response = jsonify({ + "error": "MissingUserId", + "error-description": ( + "Expected 'user_id' value/parameter was not provided.") + }) + response.status_code = 400 + return response + + try: + user = user_by_id(conn, uuid.UUID(form["user_id"])) + remove_user_from_group(conn, group, user, grp_resource) + success_msg = ( + f"User '{user.name} ({user.email})' is no longer a member of " + f"group '{group.group_name}'.\n" + "They could, however, still have access to resources owned by " + "the group.") + return jsonify({ + "description": success_msg, + "message": success_msg + }) + except ValueError as _verr: + response = jsonify({ + "error": "InvalidUserId", + "error-description": "The 'user_id' provided was invalid" + }) + response.status_code = 400 + return response |