From cb49be814e48e8d7008866d52df5777de88c6067 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 7 Mar 2023 13:55:04 +0300
Subject: oauth2: group_roles: Enable adding/deleting privileges

---
 wqflask/wqflask/oauth2/groups.py                   | 68 ++++++++++++++++++++--
 .../wqflask/templates/oauth2/view-group-role.html  | 56 ++++++++++++++++++
 2 files changed, 118 insertions(+), 6 deletions(-)

diff --git a/wqflask/wqflask/oauth2/groups.py b/wqflask/wqflask/oauth2/groups.py
index 2effaae8..551c0640 100644
--- a/wqflask/wqflask/oauth2/groups.py
+++ b/wqflask/wqflask/oauth2/groups.py
@@ -137,14 +137,70 @@ def reject_join_request():
 @require_oauth2
 def group_role(group_role_id: uuid.UUID):
     """View the details of a particular role."""
-    def __role_error__(error):
+    def __render_error(**kwargs):
+        return render_template("oauth2/view-group-role.html", **kwargs)
+
+    def __gprivs_success__(role, group_privileges):
         return render_template(
-            "oauth2/view-group-role.html",
-            group_role_error=process_error(error))
+            "oauth2/view-group-role.html", group_role=role,
+            group_privileges=tuple(
+                priv for priv in group_privileges
+                if priv not in role["role"]["privileges"]))
 
     def __role_success__(role):
-        return render_template(
-            "oauth2/view-group-role.html", group_role=role)
+        return oauth2_get("oauth2/group/privileges").either(
+            lambda err: __render_error__(
+                group_role=group_role,
+                group_privileges_error=process_error(err)),
+            lambda privileges: __gprivs_success__(role, privileges))
 
     return oauth2_get(f"oauth2/group/role/{group_role_id}").either(
-        __role_error__, __role_success__)
+        lambda err: __render_error__(group_role_error=process_error(err)),
+        __role_success__)
+
+def add_delete_privilege_to_role(
+        group_role_id: uuid.UUID, direction: str) -> Response:
+    """Add/delete a privilege to/from a role depending on `direction`."""
+    assert direction in ("ADD", "DELETE")
+    def __render__():
+        return redirect(url_for(
+            "oauth2.group.group_role", group_role_id=group_role_id))
+
+    def __error__(error):
+        err = process_error(error)
+        flash(f"{err['error']}: {err['error_description']}", "alert-danger")
+        return __render__()
+
+    def __success__(success):
+        flash(success["description"], "alert-success")
+        return __render__()
+    try:
+        form = request.form
+        privilege_id = form.get("privilege_id")
+        assert bool(privilege_id), "Privilege to add must be provided"
+        uris = {
+            "ADD": f"oauth2/group/role/{group_role_id}/privilege/add",
+            "DELETE": f"oauth2/group/role/{group_role_id}/privilege/delete"
+        }
+        return oauth2_post(
+            uris[direction],
+            data={
+                "group_role_id": group_role_id,
+                "privilege_id": privilege_id
+            }).either(__error__, __success__)
+    except AssertionError as aerr:
+        flash(aerr.args[0], "alert-danger")
+        return redirect(url_for(
+            "oauth2.group.group_role", group_role_id=group_role_id))
+
+@groups.route("/role/<uuid:group_role_id>/privilege/add", methods=["POST"])
+@require_oauth2
+def add_privilege_to_role(group_role_id: uuid.UUID):
+    """Add a privilege to a group role."""
+    return add_delete_privilege_to_role(group_role_id, "ADD")
+
+@groups.route("/role/<uuid:group_role_id>/privilege/delete", methods=["POST"])
+@require_oauth2
+def delete_privilege_from_role(group_role_id: uuid.UUID):
+    """Delete a privilege from a group role."""
+    return add_delete_privilege_to_role(group_role_id, "DELETE")
diff --git a/wqflask/wqflask/templates/oauth2/view-group-role.html b/wqflask/wqflask/templates/oauth2/view-group-role.html
index ca45fc4c..873eb0ee 100644
--- a/wqflask/wqflask/templates/oauth2/view-group-role.html
+++ b/wqflask/wqflask/templates/oauth2/view-group-role.html
@@ -11,6 +11,7 @@
 
   <div class="container-fluid">
     <div class="row">
+      <h3>Role Details</h3>
       {%if group_role_error is defined%}
       {{display_error("Group Role", group_role_error)}}
       {%else%}
@@ -20,6 +21,7 @@
 	  <tr>
 	    <th>Privilege</th>
 	    <th>Description</th>
+	    <th>Action</th>
 	  </tr>
 	</thead>
 	<tbody>
@@ -27,6 +29,17 @@
 	  <tr>
 	    <td>{{privilege.privilege_id}}</td>
 	    <td>{{privilege.privilege_description}}</td>
+	    <td>
+	      <form action="{{url_for(
+			    'oauth2.group.delete_privilege_from_role',
+			    group_role_id=group_role.group_role_id)}}"
+		    method="POST">
+		<input type="hidden" name="privilege_id"
+		       value="{{privilege.privilege_id}}" />
+		<input type="submit" class="btn btn-danger"
+		       value="Remove" />
+	      </form>
+	    </td>
 	  </tr>
 	  {%endfor%}
 	</tbody>
@@ -34,6 +47,49 @@
       {%endif%}
     </div>
 
+    <div class="row">
+      <h3>Other Privileges</h3>
+      <table class="table">
+	<caption>Other Privileges not Assigned to this Role</caption>
+	<thead>
+	  <tr>
+	    <th>Privilege</th>
+	    <th>Description</th>
+	    <th>Action</th>
+	  </tr>
+	</thead>
+
+	<tbody>
+	  {%for priv in group_privileges%}
+	  <tr>
+	    <td>{{priv.privilege_id}}</td>
+	    <td>{{priv.privilege_description}}</td>
+	    <td>
+	      <form action="{{url_for(
+			    'oauth2.group.add_privilege_to_role',
+			    group_role_id=group_role.group_role_id)}}"
+		    method="POST">
+		<input type="hidden" name="privilege_id"
+		       value="{{priv.privilege_id}}" />
+		<input type="submit" class="btn btn-warning"
+		       value="Add to Role" />
+	      </form>
+	    </td>
+	  </tr>
+	  {%else%}
+	  <tr>
+	    <td colspan="3">
+	      <span class="glyphicon glyphicon-info-sign text-info">
+	      </span>
+	      &nbsp;
+	      <span class="text-info">All privileges assigned!</span>
+	    </td>
+	  </tr>
+	  {%endfor%}
+	</tbody>
+      </table>
+    </div>
+
   </div>
 
 </div>
-- 
cgit v1.2.3