diff options
| -rw-r--r-- | wqflask/wqflask/decorators.py | 23 | ||||
| -rw-r--r-- | wqflask/wqflask/metadata_edits.py | 5 |
2 files changed, 27 insertions, 1 deletions
diff --git a/wqflask/wqflask/decorators.py b/wqflask/wqflask/decorators.py index 41d23084..a69ad868 100644 --- a/wqflask/wqflask/decorators.py +++ b/wqflask/wqflask/decorators.py @@ -7,6 +7,7 @@ from urllib.parse import urljoin from functools import wraps from gn3.authentication import AdminRole from gn3.authentication import DataRole +from gn3.authentication import get_groups_by_user_uid import json import requests @@ -78,3 +79,25 @@ def edit_admins_access_required(f): return redirect(url_for("no_access_page")) return f(*args, **kwargs) return wrap + + +def case_attributes_edit_access(f): + """Use this for endpoints for editing case + attributes. Only members in the 'editors' + group are allowed here!""" + @wraps(f) + def wrap(*args, **kwargs): + groups = [] + for _, value in get_groups_by_user_uid( + user_uid=((g.user_session.record.get(b"user_id") or + b"").decode("utf-8") + or g.user_session.record.get("user_id") or ""), + conn=redis.from_url(current_app.config["REDIS_URL"], + decode_responses=True)).items(): + for items in value: + if (i_ := items.get("name")): + groups.append(i_) + if "groups" in groups: + return redirect(url_for("no_access_page")) + return f(*args, **kwargs) + return wrap diff --git a/wqflask/wqflask/metadata_edits.py b/wqflask/wqflask/metadata_edits.py index a13cadf8..202a5d1b 100644 --- a/wqflask/wqflask/metadata_edits.py +++ b/wqflask/wqflask/metadata_edits.py @@ -23,6 +23,7 @@ from wqflask.database import database_connection from wqflask.decorators import edit_access_required from wqflask.decorators import edit_admins_access_required from wqflask.decorators import login_required +from wqflask.decorators import case_attributes_edit_access from gn3.authentication import AdminRole from gn3.authentication import get_highest_user_access_role @@ -755,7 +756,7 @@ def show_case_attribute_columns(): @metadata_edit.route("/case-attributes", methods=("POST",)) -@edit_admins_access_required +@case_attributes_edit_access @login_required def update_case_attributes(): data_ = request.form.to_dict().get("data") @@ -784,6 +785,8 @@ def update_case_attributes(): @metadata_edit.route("/case-attributes/reject", methods=["POST", ]) +@case_attributes_edit_access +@login_required def reject_case_attribute_data(): case_attr_id = request.form.to_dict().get("id") with database_connection() as conn: |