From e2c83f971c1ba251dba7df196883bd468a19c022 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 26 Jun 2023 08:36:10 +0300
Subject: Bug: Pass the dataset name/id for authorisation checks

The new authorisation checks need the dataset name/id for checking the
access level the user has on any data. This commit passes the dataset
name/id through the requests.

We also add some exceptions to ensure that this data is passed through
before even attempting to check for the authorisation.
---
 wqflask/wqflask/decorators.py                | 10 ++++++++++
 wqflask/wqflask/metadata_edits.py            |  2 ++
 wqflask/wqflask/templates/edit_probeset.html |  4 ++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/wqflask/wqflask/decorators.py b/wqflask/wqflask/decorators.py
index b281e9bd..e33e6bb6 100644
--- a/wqflask/wqflask/decorators.py
+++ b/wqflask/wqflask/decorators.py
@@ -113,9 +113,19 @@ def required_access(access_levels: tuple[str, ...],
             dataset_name = kwargs.get(
                 dataset_key,
                 request.args.get(dataset_key, request.form.get(dataset_key, "")))
+            if not bool(dataset_name):
+                raise AuthorisationError(
+                    "DeveloperError: Dataset name not provided. It is needed "
+                    "for the authorisation checks.",
+                    session_info()["user"])
             trait_name = kwargs.get(
                 trait_key,
                 request.args.get(trait_key, request.form.get(trait_key, "")))
+            if not bool(trait_name):
+                raise AuthorisationError(
+                    "DeveloperError: Trait name not provided. It is needed for "
+                    "the authorisation checks.",
+                    session_info()["user"])
             return client.post(
                 "oauth2/data/authorisation",
                 json={"traits": [f"{dataset_name}::{trait_name}"]}).either(
diff --git a/wqflask/wqflask/metadata_edits.py b/wqflask/wqflask/metadata_edits.py
index ca7e8ae7..d24a3098 100644
--- a/wqflask/wqflask/metadata_edits.py
+++ b/wqflask/wqflask/metadata_edits.py
@@ -166,6 +166,7 @@ def display_probeset_metadata(name: str):
             name=name,
             resource_id=request.args.get("resource-id"),
             version=os.environ.get("GN_VERSION"),
+            dataset_name=request.args["dataset_name"]
         )
 
 
@@ -484,6 +485,7 @@ def update_probeset(name: str):
         return redirect(
             f"/datasets/traits/{name}"
             f"?resource-id={request.args.get('resource-id')}"
+            f"&dataset_name={request.args['dataset_id']}"
         )
 
 
diff --git a/wqflask/wqflask/templates/edit_probeset.html b/wqflask/wqflask/templates/edit_probeset.html
index c5ef992e..02185c2a 100644
--- a/wqflask/wqflask/templates/edit_probeset.html
+++ b/wqflask/wqflask/templates/edit_probeset.html
@@ -32,9 +32,9 @@
 	<h1>Probeset Editing Form: {{ probeset.name }}</h1>
 	<small><a href="{{url_for('metadata_edit.show_history', name=name)}}" target="_blank">[View History]</a></small>
     </div>
-    <form id="edit-form" class="container form-horizontal" method="post" action="/datasets/traits/{{ name }}?resource-id={{ resource_id }}" enctype='multipart/form-data'>
+    <form id="edit-form" class="container form-horizontal" method="post" action="/datasets/traits/{{name}}?resource-id={{resource_id}}&dataset_id={{dataset_name}}" enctype='multipart/form-data'>
 	<div class="form-group">
-	    <div class="controls left-block col-sm-8 col-lg-8" style="width: max-content;">
+	  <div class="controls left-block col-sm-8 col-lg-8" style="width: max-content;">
 		<input name="id" class="changed" type="hidden" value="{{ probeset.id_ }}"/>
 		<input name="old_id_" class="changed" type="hidden" value="{{ probeset.id_ }}"/>
 		<input name="probeset_name" class="changed" type="hidden" value="{{ probeset.name }}"/>
-- 
cgit v1.2.3