aboutsummaryrefslogtreecommitdiff
path: root/gn2/wqflask/oauth2
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-06-07 12:34:35 -0500
committerAlexander_Kabui2024-08-28 15:02:45 +0300
commitbc50d737fcf9ede661760a0dbeee124403962044 (patch)
tree0ffac20751afb60bc93306f524c05f799f6d0e0d /gn2/wqflask/oauth2
parent231367c3dd60b0e28ba3fa3f7cacfb79bd1c518e (diff)
downloadgenenetwork2-bc50d737fcf9ede661760a0dbeee124403962044.tar.gz
Update UI: Use resource roles rather than obsolete group roles
In a fix to fix a privilege-escalation bug, the `…/group/roles` endpoint was entirely removed and replaced with the less error-prone `…/resource/…/roles` endpoint. This commit updates the code to use the new endpoint's data as appropriate. We also fix typos in some url_for routing arguments.
Diffstat (limited to 'gn2/wqflask/oauth2')
-rw-r--r--gn2/wqflask/oauth2/resources.py29
1 files changed, 15 insertions, 14 deletions
diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 32efbd2a..afba2526 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -67,39 +67,40 @@ def view_resource(resource_id: uuid.UUID):
int(request.args.get("page", "1"), base=10))
count_per_page = int(request.args.get("count_per_page", "100"), base=10)
def __users_success__(
- resource, unlinked_data, users_n_roles, this_user, group_roles,
+ resource, unlinked_data, users_n_roles, this_user, resource_roles,
users):
return render_ui(
"oauth2/view-resource.html", resource=resource,
unlinked_data=unlinked_data, users_n_roles=users_n_roles,
- this_user=this_user, group_roles=group_roles, users=users,
+ this_user=this_user, resource_roles=resource_roles, users=users,
page=page, count_per_page=count_per_page)
- def __group_roles_success__(
- resource, unlinked_data, users_n_roles, this_user, group_roles):
+ def __resource_roles_success__(
+ resource, unlinked_data, users_n_roles, this_user, resource_roles):
return oauth2_get("auth/user/list").either(
lambda err: render_ui(
"oauth2/view-resource.html", resource=resource,
unlinked_data=unlinked_data, users_n_roles=users_n_roles,
- this_user=this_user, group_roles=group_roles,
+ this_user=this_user, resource_roles=resource_roles,
users_error=process_error(err), count_per_page=count_per_page),
lambda users: __users_success__(
- resource, unlinked_data, users_n_roles, this_user, group_roles,
+ resource, unlinked_data, users_n_roles, this_user, resource_roles,
users))
def __this_user_success__(resource, unlinked_data, users_n_roles, this_user):
- return oauth2_get("auth/group/roles").either(
+ return oauth2_get(f"auth/resource/{resource_id}/roles").either(
lambda err: render_ui(
- "oauth2/view-resources.html", resource=resource,
+ "oauth2/view-resource.html", resource=resource,
unlinked_data=unlinked_data, users_n_roles=users_n_roles,
- this_user=this_user, group_roles_error=process_error(err)),
- lambda groles: __group_roles_success__(
- resource, unlinked_data, users_n_roles, this_user, groles))
+ this_user=this_user, resource_roles_error=process_error(err),
+ count_per_page=count_per_page),
+ lambda rroles: __resource_roles_success__(
+ resource, unlinked_data, users_n_roles, this_user, rroles))
def __users_n_roles_success__(resource, unlinked_data, users_n_roles):
return oauth2_get("auth/user/").either(
lambda err: render_ui(
- "oauth2/view-resources.html",
+ "oauth2/view-resource.html",
this_user_error=process_error(err)),
lambda usr_dets: __this_user_success__(
resource, unlinked_data, users_n_roles, usr_dets))
@@ -229,7 +230,7 @@ def assign_role(resource_id: uuid.UUID) -> Response:
}).either(__assign_error__, __assign_success__)
except AssertionError as aserr:
flash(aserr.args[0], "alert-danger")
- return redirect(url_for("oauth2.resources.view_resource", resource_id=resource_id))
+ return redirect(url_for("oauth2.resource.view_resource", resource_id=resource_id))
@resources.route("<uuid:resource_id>/user/unassign", methods=["POST"])
@require_oauth2
@@ -260,7 +261,7 @@ def unassign_role(resource_id: uuid.UUID) -> Response:
}).either(__unassign_error__, __unassign_success__)
except AssertionError as aserr:
flash(aserr.args[0], "alert-danger")
- return redirect(url_for("oauth2.resources.view_resource", resource_id=resource_id))
+ return redirect(url_for("oauth2.resource.view_resource", resource_id=resource_id))
@resources.route("/toggle/<uuid:resource_id>", methods=["POST"])
@require_oauth2