auth: Improve authorisation

Retrieve the token, and user in the authorisation decorator to enable checking of privileges.
author: Frederick Muriuki Muriithi 2023-02-02 14:15:29 +0300
committer: Frederick Muriuki Muriithi 2023-02-02 14:15:29 +0300
commit: ecce454ca9d0f374e22da8401206e3b1695dbded (patch)
tree: 70db9cc60df565336b7c37103b39a2d92183d764 /gn3/auth/authorisation/checks.py
parent: dfe5eb18e3ec8dc570d118bfe95c5d4dcb2c7575 (diff)
download: genenetwork3-ecce454ca9d0f374e22da8401206e3b1695dbded.tar.gz
1 files changed, 16 insertions, 13 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py
index 8fef209..6579afc 100644
--- a/gn3/auth/authorisation/checks.py
+++ b/gn3/auth/authorisation/checks.py
@@ -10,29 +10,32 @@ from . import privileges as auth_privs
 from .errors import AuthorisationError
 
 from ..authentication.users import User
+from ..authentication.oauth2.resource_server import require_oauth
 
 def authorised_p(
         privileges: tuple[str],
-        error_message: str = (
+        error_description: str = (
             "You lack authorisation to perform requested action"),
-        user: Optional[User] = None):
+        oauth2_scope = "profile"):
     """Authorisation decorator."""
     assert len(privileges) > 0, "You must provide at least one privilege"
     def __build_authoriser__(func: Callable):
         @wraps(func)
         def __authoriser__(*args, **kwargs):
-            the_user = user or (hasattr(g, "user") and g.user)
-            if the_user:
-                with db.connection(app.config["AUTH_DB"]) as conn:
-                    user_privileges = tuple(
-                        priv.privilege_id for priv in
-                        auth_privs.user_privileges(conn, the_user))
+            # the_user = user or (hasattr(g, "user") and g.user)
+            with require_oauth.acquire(oauth2_scope) as the_token:
+                the_user = the_token.user
+                if the_user:
+                    with db.connection(app.config["AUTH_DB"]) as conn:
+                        user_privileges = tuple(
+                            priv.privilege_id for priv in
+                            auth_privs.user_privileges(conn, the_user))
 
-                not_assigned = [
-                    priv for priv in privileges if priv not in user_privileges]
-                if len(not_assigned) == 0:
-                    return func(*args, **kwargs)
+                    not_assigned = [
+                        priv for priv in privileges if priv not in user_privileges]
+                    if len(not_assigned) == 0:
+                        return func(*args, **kwargs)
 
-            raise AuthorisationError(error_message)
+                raise AuthorisationError(error_message)
         return __authoriser__
     return __build_authoriser__
author	Frederick Muriuki Muriithi	2023-02-02 14:15:29 +0300
committer	Frederick Muriuki Muriithi	2023-02-02 14:15:29 +0300
commit	ecce454ca9d0f374e22da8401206e3b1695dbded (patch)
tree	70db9cc60df565336b7c37103b39a2d92183d764 /gn3/auth/authorisation/checks.py
parent	dfe5eb18e3ec8dc570d118bfe95c5d4dcb2c7575 (diff)
download	genenetwork3-ecce454ca9d0f374e22da8401206e3b1695dbded.tar.gz