diff options
| author | Frederick Muriuki Muriithi | 2024-06-07 12:34:35 -0500 |
|---|---|---|
| committer | Alexander_Kabui | 2024-08-28 15:02:45 +0300 |
| commit | bc50d737fcf9ede661760a0dbeee124403962044 (patch) | |
| tree | 0ffac20751afb60bc93306f524c05f799f6d0e0d /gn2 | |
| parent | 231367c3dd60b0e28ba3fa3f7cacfb79bd1c518e (diff) | |
| download | genenetwork2-bc50d737fcf9ede661760a0dbeee124403962044.tar.gz | |
Update UI: Use resource roles rather than obsolete group roles
In a fix to fix a privilege-escalation bug, the `…/group/roles`
endpoint was entirely removed and replaced with the less error-prone
`…/resource/…/roles` endpoint. This commit updates the code to use the
new endpoint's data as appropriate.
We also fix typos in some url_for routing arguments.
Diffstat (limited to 'gn2')
| -rw-r--r-- | gn2/wqflask/oauth2/resources.py | 29 | ||||
| -rw-r--r-- | gn2/wqflask/templates/oauth2/view-resource.html | 18 |
2 files changed, 24 insertions, 23 deletions
diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py index 32efbd2a..afba2526 100644 --- a/gn2/wqflask/oauth2/resources.py +++ b/gn2/wqflask/oauth2/resources.py @@ -67,39 +67,40 @@ def view_resource(resource_id: uuid.UUID): int(request.args.get("page", "1"), base=10)) count_per_page = int(request.args.get("count_per_page", "100"), base=10) def __users_success__( - resource, unlinked_data, users_n_roles, this_user, group_roles, + resource, unlinked_data, users_n_roles, this_user, resource_roles, users): return render_ui( "oauth2/view-resource.html", resource=resource, unlinked_data=unlinked_data, users_n_roles=users_n_roles, - this_user=this_user, group_roles=group_roles, users=users, + this_user=this_user, resource_roles=resource_roles, users=users, page=page, count_per_page=count_per_page) - def __group_roles_success__( - resource, unlinked_data, users_n_roles, this_user, group_roles): + def __resource_roles_success__( + resource, unlinked_data, users_n_roles, this_user, resource_roles): return oauth2_get("auth/user/list").either( lambda err: render_ui( "oauth2/view-resource.html", resource=resource, unlinked_data=unlinked_data, users_n_roles=users_n_roles, - this_user=this_user, group_roles=group_roles, + this_user=this_user, resource_roles=resource_roles, users_error=process_error(err), count_per_page=count_per_page), lambda users: __users_success__( - resource, unlinked_data, users_n_roles, this_user, group_roles, + resource, unlinked_data, users_n_roles, this_user, resource_roles, users)) def __this_user_success__(resource, unlinked_data, users_n_roles, this_user): - return oauth2_get("auth/group/roles").either( + return oauth2_get(f"auth/resource/{resource_id}/roles").either( lambda err: render_ui( - "oauth2/view-resources.html", resource=resource, + "oauth2/view-resource.html", resource=resource, unlinked_data=unlinked_data, users_n_roles=users_n_roles, - this_user=this_user, group_roles_error=process_error(err)), - lambda groles: __group_roles_success__( - resource, unlinked_data, users_n_roles, this_user, groles)) + this_user=this_user, resource_roles_error=process_error(err), + count_per_page=count_per_page), + lambda rroles: __resource_roles_success__( + resource, unlinked_data, users_n_roles, this_user, rroles)) def __users_n_roles_success__(resource, unlinked_data, users_n_roles): return oauth2_get("auth/user/").either( lambda err: render_ui( - "oauth2/view-resources.html", + "oauth2/view-resource.html", this_user_error=process_error(err)), lambda usr_dets: __this_user_success__( resource, unlinked_data, users_n_roles, usr_dets)) @@ -229,7 +230,7 @@ def assign_role(resource_id: uuid.UUID) -> Response: }).either(__assign_error__, __assign_success__) except AssertionError as aserr: flash(aserr.args[0], "alert-danger") - return redirect(url_for("oauth2.resources.view_resource", resource_id=resource_id)) + return redirect(url_for("oauth2.resource.view_resource", resource_id=resource_id)) @resources.route("<uuid:resource_id>/user/unassign", methods=["POST"]) @require_oauth2 @@ -260,7 +261,7 @@ def unassign_role(resource_id: uuid.UUID) -> Response: }).either(__unassign_error__, __unassign_success__) except AssertionError as aserr: flash(aserr.args[0], "alert-danger") - return redirect(url_for("oauth2.resources.view_resource", resource_id=resource_id)) + return redirect(url_for("oauth2.resource.view_resource", resource_id=resource_id)) @resources.route("/toggle/<uuid:resource_id>", methods=["POST"]) @require_oauth2 diff --git a/gn2/wqflask/templates/oauth2/view-resource.html b/gn2/wqflask/templates/oauth2/view-resource.html index d17f1ddf..6ae5af56 100644 --- a/gn2/wqflask/templates/oauth2/view-resource.html +++ b/gn2/wqflask/templates/oauth2/view-resource.html @@ -309,8 +309,8 @@ <div class="row"> <h3>Assign</h3> - {%if group_roles_error is defined%} - {{display_error("Group Roles", group_roles_error)}} + {%if resource_roles_error is defined%} + {{display_error("Resource Roles", resource_roles_error)}} {%elif users_error is defined%} {{display_error("Users", users_error)}} {%else%} @@ -320,13 +320,13 @@ method="POST" autocomplete="off"> <input type="hidden" name="resource_id" value="{{resource_id}}" /> <div class="form-group"> - <label for="group_role_id" class="form-label">Role</label> - <select class="form-control" name="group_role_id" - id="group_role_id" required="required"> - <option value="">Select role</option> - {%for grole in group_roles%} - <option value="{{grole.group_role_id}}"> - {{grole.role.role_name}} + <label for="role_id" class="form-label">Role</label> + <select class="form-control" name="role_id" + id="role_id" required="required"> + <option value="">Select role</option>> + {%for rrole in resource_roles%} + <option value="{{rrole.role_id}}"> + {{rrole.role_name}} </option> {%endfor%} </select> |