3 files changed, 93 insertions, 4 deletions

diff --git a/gn2/wqflask/oauth2/resources.py b/gn2/wqflask/oauth2/resources.py
index 34b11235..9ca057ab 100644
--- a/gn2/wqflask/oauth2/resources.py
+++ b/gn2/wqflask/oauth2/resources.py
@@ -7,8 +7,12 @@ from . import client
 from .ui import render_ui as _render_ui
 from .checks import require_oauth2
 from .client import oauth2_get, oauth2_post
-from .request_utils import (
-    flash_error, flash_success, request_error, process_error)
+from .request_utils import (flash_error,
+                            flash_success,
+                            request_error,
+                            process_error,
+                            with_flash_error,
+                            with_flash_success)
 
 resources = Blueprint("resource", __name__)
 
@@ -331,3 +335,51 @@ def view_resource_role(resource_id: UUID, role_id: UUID):
             lambda error: __render_template__(
                 resource_error=process_error(error)),
             lambda resource: __fetch_resource_role__(resource=resource))
+
+@resources.route("/<uuid:resource_id>/role/<uuid:role_id>/unassign-privilege",
+                 methods=["GET", "POST"])
+@require_oauth2
+def unassign_privilege_from_resource_role(resource_id: UUID, role_id: UUID):
+    """Remove a privilege from a resource role."""
+    form = request.form
+    returnto = redirect(url_for("oauth2.resource.view_resource_role",
+                                resource_id=resource_id,
+                                role_id=role_id))
+    privilege_id = (request.args.get("privilege_id")
+                    or form.get("privilege_id"))
+    if not privilege_id:
+        flash("You need to specify a privilege to unassign.", "alert-danger")
+        return returnto
+
+    if request.method=="POST" and form.get("confirm") == "Unassign":
+        return oauth2_post(
+            f"auth/resource/{resource_id}/role/{role_id}/unassign-privilege",
+            json={
+                "privilege_id": form["privilege_id"]
+            }).either(with_flash_error(returnto), with_flash_success(returnto))
+
+    if form.get("confirm") == "Cancel":
+        flash("Cancelled the operation to unassign the privilege.",
+              "alert-info")
+        return returnto
+
+    def __fetch_privilege__(resource, role):
+        return oauth2_get(
+            f"auth/privileges/{privilege_id}/view").either(
+                with_flash_error(returnto),
+                lambda privilege: render_ui(
+                    "oauth2/confirm-resource-role-unassign-privilege.html",
+                    resource=resource,
+                    role=role,
+                    privilege=privilege))
+
+    def __fetch_resource_role__(resource):
+        return oauth2_get(
+            f"auth/resource/{resource_id}/role/{role_id}").either(
+                with_flash_error(returnto),
+                lambda role: __fetch_privilege__(resource, role))
+
+    return oauth2_get(
+        f"auth/resource/view/{resource_id}").either(
+            with_flash_error(returnto),
+            __fetch_resource_role__)
diff --git a/gn2/wqflask/templates/oauth2/confirm-resource-role-unassign-privilege.html b/gn2/wqflask/templates/oauth2/confirm-resource-role-unassign-privilege.html
new file mode 100644
index 00000000..988cf3b4
--- /dev/null
+++ b/gn2/wqflask/templates/oauth2/confirm-resource-role-unassign-privilege.html
@@ -0,0 +1,34 @@
+{%extends "base.html"%}
+{%from "oauth2/profile_nav.html" import profile_nav%}
+{%from "oauth2/display_error.html" import display_error%}
+{%block title%}View User{%endblock%}
+{%block content%}
+<div class="container">
+  {{profile_nav(uipages, user_privileges)}}
+  {{flash_me()}}
+
+  <form id="frm_confirm_resource_role_unassign_privilege"
+        method="POST"
+        action="{{url_for('oauth2.resource.unassign_privilege_from_resource_role',
+                resource_id=resource.resource_id,
+                role_id=role.role_id)}}">
+    <p>
+      Are you sure you want to unassign the privilege to
+      '{{privilege.privilege_description}}' from the role '{{role.role_name}}'
+      on resource '{{resource.resource_name}}'?</p>
+    <input type="hidden"
+           name="privilege_id"
+           value="{{privilege.privilege_id}}" />
+    
+    <input type="submit"
+           name="confirm"
+           value="Cancel"
+           class="btn btn-success" />
+
+    <input type="submit"
+           name="confirm"
+           value="Unassign"
+           class="btn btn-danger" />
+  </form>
+</div>
+{%endblock%}
diff --git a/gn2/wqflask/templates/oauth2/view-resource-role.html b/gn2/wqflask/templates/oauth2/view-resource-role.html
index 05df41d6..a1aa8676 100644
--- a/gn2/wqflask/templates/oauth2/view-resource-role.html
+++ b/gn2/wqflask/templates/oauth2/view-resource-role.html
@@ -5,8 +5,10 @@
 {%block content%}
 
 {%macro unassign_button(resource_id, role_id, privilege_id)%}
-<form method="POST"
-      action="#"
+<form method="GET"
+      action="{{url_for('oauth2.resource.unassign_privilege_from_resource_role',
+              resource_id=resource_id,
+              role_id=role_id)}}"
       id="frm_unlink_privilege_{{privilege_id}}">
   <input type="hidden" name="resource_id" value="{{resource_id}}" />
   <input type="hidden" name="role_id" value="{{role_id}}" />
@@ -17,6 +19,7 @@
 
 <div class="container">
   {{profile_nav(uipages, user_privileges)}}
+  {{flash_me()}}
   {%if resource_error is defined%}
   {{display_error("Resource", resource_error)}}
   {%else%}