diff options
| author | BonfaceKilz | 2022-05-20 11:40:16 +0300 |
|---|---|---|
| committer | BonfaceKilz | 2022-05-27 15:17:52 +0300 |
| commit | 92703faff0f0eaedae9b12c5c5d47cf22236944d (patch) | |
| tree | 985c419741b5235982560175cc1fb754836c8ec4 | |
| parent | 77f12fb59c4277e2bd51f8dba78518172bca1735 (diff) | |
| download | genenetwork2-92703faff0f0eaedae9b12c5c5d47cf22236944d.tar.gz | |
Make sure user is part of "editors" group to make (case attrs) edits
* wqflask/wqflask/decorators.py: Import
"gn3.authentication.get_groups_by_user_uid".
(case_attributes_edit_access): New decorator. Checks which users are in
the "editors" group in Redis.
* wqflask/wqflask/metadata_edits.py: Import
"wqflask.decorators.case_attributes_edit_access"
(update_case_attributes): Use "@update_case_attributes" decorator.
(reject_case_attribute_data): Ditto.
| -rw-r--r-- | wqflask/wqflask/decorators.py | 23 | ||||
| -rw-r--r-- | wqflask/wqflask/metadata_edits.py | 5 |
2 files changed, 27 insertions, 1 deletions
diff --git a/wqflask/wqflask/decorators.py b/wqflask/wqflask/decorators.py index 41d23084..a69ad868 100644 --- a/wqflask/wqflask/decorators.py +++ b/wqflask/wqflask/decorators.py @@ -7,6 +7,7 @@ from urllib.parse import urljoin from functools import wraps from gn3.authentication import AdminRole from gn3.authentication import DataRole +from gn3.authentication import get_groups_by_user_uid import json import requests @@ -78,3 +79,25 @@ def edit_admins_access_required(f): return redirect(url_for("no_access_page")) return f(*args, **kwargs) return wrap + + +def case_attributes_edit_access(f): + """Use this for endpoints for editing case + attributes. Only members in the 'editors' + group are allowed here!""" + @wraps(f) + def wrap(*args, **kwargs): + groups = [] + for _, value in get_groups_by_user_uid( + user_uid=((g.user_session.record.get(b"user_id") or + b"").decode("utf-8") + or g.user_session.record.get("user_id") or ""), + conn=redis.from_url(current_app.config["REDIS_URL"], + decode_responses=True)).items(): + for items in value: + if (i_ := items.get("name")): + groups.append(i_) + if "groups" in groups: + return redirect(url_for("no_access_page")) + return f(*args, **kwargs) + return wrap diff --git a/wqflask/wqflask/metadata_edits.py b/wqflask/wqflask/metadata_edits.py index a13cadf8..202a5d1b 100644 --- a/wqflask/wqflask/metadata_edits.py +++ b/wqflask/wqflask/metadata_edits.py @@ -23,6 +23,7 @@ from wqflask.database import database_connection from wqflask.decorators import edit_access_required from wqflask.decorators import edit_admins_access_required from wqflask.decorators import login_required +from wqflask.decorators import case_attributes_edit_access from gn3.authentication import AdminRole from gn3.authentication import get_highest_user_access_role @@ -755,7 +756,7 @@ def show_case_attribute_columns(): @metadata_edit.route("/case-attributes", methods=("POST",)) -@edit_admins_access_required +@case_attributes_edit_access @login_required def update_case_attributes(): data_ = request.form.to_dict().get("data") @@ -784,6 +785,8 @@ def update_case_attributes(): @metadata_edit.route("/case-attributes/reject", methods=["POST", ]) +@case_attributes_edit_access +@login_required def reject_case_attribute_data(): case_attr_id = request.form.to_dict().get("id") with database_connection() as conn: |