From f16d079979cf84894892ab876421f64d9687e57c Mon Sep 17 00:00:00 2001
From: Munyoki Kilyungi
Date: Fri, 22 Mar 2024 23:40:52 +0300
Subject: Implement "require_oauth2_edit_resource_access" decorator.

* gn2/wqflask/oauth2/checks.py (require_oauth2): New function.

Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
---
 gn2/wqflask/oauth2/checks.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'gn2')

diff --git a/gn2/wqflask/oauth2/checks.py b/gn2/wqflask/oauth2/checks.py
index 9a633b95..5f0d1376 100644
--- a/gn2/wqflask/oauth2/checks.py
+++ b/gn2/wqflask/oauth2/checks.py
@@ -39,3 +39,26 @@ def require_oauth2(func):
         return session.user_token().either(__clear_session__, __with_token__)
 
     return __token_valid__
+
+
+def require_oauth2_edit_resource_access(func):
+    """Check if a user has edit access for a given resource."""
+    @wraps(func)
+    def __check_edit_access__(*args, **kwargs):
+        # Check edit access, if not return to the same page.
+
+        # This is for a GET
+        resource_name = request.args.get("name", "")
+        # And for a POST request.
+        if request.method == "POST":
+            resource_name = request.form.get("name", "")
+        result = oauth2_get(
+            f"auth/resource/authorisation/{resource_name}"
+        ).either(
+            lambda _: {"roles": []},
+            lambda val: val
+        )
+        if "group:resource:edit-resource" not in result.get("roles", []):
+            return redirect(f"/datasets/{resource_name}")
+        return func(*args, **kwargs)
+    return __check_edit_access__
-- 
cgit v1.2.3