aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBonfaceKilz2022-05-20 11:40:16 +0300
committerBonfaceKilz2022-05-27 15:17:52 +0300
commit92703faff0f0eaedae9b12c5c5d47cf22236944d (patch)
tree985c419741b5235982560175cc1fb754836c8ec4
parent77f12fb59c4277e2bd51f8dba78518172bca1735 (diff)
downloadgenenetwork2-92703faff0f0eaedae9b12c5c5d47cf22236944d.tar.gz
Make sure user is part of "editors" group to make (case attrs) edits
* wqflask/wqflask/decorators.py: Import "gn3.authentication.get_groups_by_user_uid". (case_attributes_edit_access): New decorator. Checks which users are in the "editors" group in Redis. * wqflask/wqflask/metadata_edits.py: Import "wqflask.decorators.case_attributes_edit_access" (update_case_attributes): Use "@update_case_attributes" decorator. (reject_case_attribute_data): Ditto.
-rw-r--r--wqflask/wqflask/decorators.py23
-rw-r--r--wqflask/wqflask/metadata_edits.py5
2 files changed, 27 insertions, 1 deletions
diff --git a/wqflask/wqflask/decorators.py b/wqflask/wqflask/decorators.py
index 41d23084..a69ad868 100644
--- a/wqflask/wqflask/decorators.py
+++ b/wqflask/wqflask/decorators.py
@@ -7,6 +7,7 @@ from urllib.parse import urljoin
from functools import wraps
from gn3.authentication import AdminRole
from gn3.authentication import DataRole
+from gn3.authentication import get_groups_by_user_uid
import json
import requests
@@ -78,3 +79,25 @@ def edit_admins_access_required(f):
return redirect(url_for("no_access_page"))
return f(*args, **kwargs)
return wrap
+
+
+def case_attributes_edit_access(f):
+ """Use this for endpoints for editing case
+ attributes. Only members in the 'editors'
+ group are allowed here!"""
+ @wraps(f)
+ def wrap(*args, **kwargs):
+ groups = []
+ for _, value in get_groups_by_user_uid(
+ user_uid=((g.user_session.record.get(b"user_id") or
+ b"").decode("utf-8")
+ or g.user_session.record.get("user_id") or ""),
+ conn=redis.from_url(current_app.config["REDIS_URL"],
+ decode_responses=True)).items():
+ for items in value:
+ if (i_ := items.get("name")):
+ groups.append(i_)
+ if "groups" in groups:
+ return redirect(url_for("no_access_page"))
+ return f(*args, **kwargs)
+ return wrap
diff --git a/wqflask/wqflask/metadata_edits.py b/wqflask/wqflask/metadata_edits.py
index a13cadf8..202a5d1b 100644
--- a/wqflask/wqflask/metadata_edits.py
+++ b/wqflask/wqflask/metadata_edits.py
@@ -23,6 +23,7 @@ from wqflask.database import database_connection
from wqflask.decorators import edit_access_required
from wqflask.decorators import edit_admins_access_required
from wqflask.decorators import login_required
+from wqflask.decorators import case_attributes_edit_access
from gn3.authentication import AdminRole
from gn3.authentication import get_highest_user_access_role
@@ -755,7 +756,7 @@ def show_case_attribute_columns():
@metadata_edit.route("/case-attributes", methods=("POST",))
-@edit_admins_access_required
+@case_attributes_edit_access
@login_required
def update_case_attributes():
data_ = request.form.to_dict().get("data")
@@ -784,6 +785,8 @@ def update_case_attributes():
@metadata_edit.route("/case-attributes/reject", methods=["POST", ])
+@case_attributes_edit_access
+@login_required
def reject_case_attribute_data():
case_attr_id = request.form.to_dict().get("id")
with database_connection() as conn: