auth: Roles: Check for editability

Some roles should not be user-editable, and as such, we need to check before
allowing any edits on such roles. This commit makes that possible.

2 files changed, 17 insertions, 5 deletions

diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py
index bbe4ad6..accf2f2 100644
--- a/gn3/auth/authorisation/groups/models.py
+++ b/gn3/auth/authorisation/groups/models.py
@@ -15,7 +15,8 @@ from ..checks import authorised_p
 from ..privileges import Privilege
 from ..errors import NotFoundError, AuthorisationError, InconsistencyError
 from ..roles.models import (
-    Role, create_role, revoke_user_role_by_name, assign_user_role_by_name)
+    Role, create_role, check_user_editable, revoke_user_role_by_name,
+    assign_user_role_by_name)
 
 class Group(NamedTuple):
     """Class representing a group."""
@@ -312,13 +313,19 @@ def __organise_privileges__(acc, row):
     if role:
         return {
             **acc,
-            role_id: Role(role.role_id, role.role_name, role.privileges + (
-                Privilege(row["privilege_id"], row["privilege_description"]),))
+            role_id: Role(
+                role.role_id, role.role_name,
+                bool(int(row["user_editable"])),
+                role.privileges + (
+                    Privilege(row["privilege_id"],
+                              row["privilege_description"]),))
         }
     return {
         **acc,
-        role_id: Role(UUID(row["role_id"]), row["role_name"], (
-            Privilege(row["privilege_id"], row["privilege_description"]),))
+        role_id: Role(
+            UUID(row["role_id"]), row["role_name"],
+            bool(int(row["user_editable"])),
+            (Privilege(row["privilege_id"], row["privilege_description"]),))
     }
 
 # @authorised_p(("group:role:view",),
@@ -351,6 +358,7 @@ def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
                                 privilege: Privilege) -> GroupRole:
     """Add `privilege` to `group_role`."""
     ## TODO: do privileges check.
+    check_user_editable(group_role.role)
     with db.cursor(conn) as cursor:
         cursor.execute(
             "INSERT INTO role_privileges(role_id,privilege_id) "
@@ -362,12 +370,14 @@ def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
             group_role.group,
             Role(group_role.role.role_id,
                  group_role.role.role_name,
+                 group_role.role.user_editable,
                  group_role.role.privileges + (privilege,)))
 
 def delete_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
                                    privilege: Privilege) -> GroupRole:
     """Delete `privilege` to `group_role`."""
     ## TODO: do privileges check.
+    check_user_editable(group_role.role)
     with db.cursor(conn) as cursor:
         cursor.execute(
             "DELETE FROM role_privileges WHERE "
@@ -378,5 +388,6 @@ def delete_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
             group_role.group,
             Role(group_role.role.role_id,
                  group_role.role.role_name,
+                 group_role.role.user_editable,
                  tuple(priv for priv in group_role.role.privileges
                        if priv != privilege)))
diff --git a/gn3/auth/authorisation/groups/views.py b/gn3/auth/authorisation/groups/views.py
index 9e717a9..3f4ced0 100644
--- a/gn3/auth/authorisation/groups/views.py
+++ b/gn3/auth/authorisation/groups/views.py
@@ -298,6 +298,7 @@ def group_roles():
                               group,
                               Role(uuid.UUID(row["role_id"]),
                                    row["role_name"],
+                                   bool(int(row["user_editable"])),
                                    tuple()))
                     for row in cursor.fetchall())
         return jsonify(tuple(