aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authorisation/resources
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-03-07 06:24:37 +0300
committerFrederick Muriuki Muriithi2023-03-07 06:24:37 +0300
commita3a87ae52200cca7586b64d4e15cb12c88b17cd7 (patch)
treee6ee9bab751382ea379694ef83735625f234206e /gn3/auth/authorisation/resources
parent09c2330e9e8279f6c9fd391a736435ceb4705873 (diff)
downloadgenenetwork3-a3a87ae52200cca7586b64d4e15cb12c88b17cd7.tar.gz
auth: resources: unassign roles on resource from a user.
Diffstat (limited to 'gn3/auth/authorisation/resources')
-rw-r--r--gn3/auth/authorisation/resources/models.py23
-rw-r--r--gn3/auth/authorisation/resources/views.py29
2 files changed, 49 insertions, 3 deletions
diff --git a/gn3/auth/authorisation/resources/models.py b/gn3/auth/authorisation/resources/models.py
index 0a5b1ec..d0dd2f4 100644
--- a/gn3/auth/authorisation/resources/models.py
+++ b/gn3/auth/authorisation/resources/models.py
@@ -505,3 +505,26 @@ def assign_resource_user(
f"The user '{user.name}'({user.email}) was assigned the "
f"'{role.role.role_name}' role on resource with ID "
f"'{resource.resource_id}'.")}
+
+@authorised_p(
+ ("group:user:assign-role",),
+ "You cannot assign roles to users for this group.",
+ oauth2_scope="profile group role resource")
+def unassign_resource_user(
+ conn: db.DbConnection, resource: Resource, user: User,
+ role: GroupRole) -> dict:
+ """Assign `role` to `user` for the specific `resource`."""
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "DELETE FROM group_user_roles_on_resources "
+ "WHERE group_id=? AND user_id=? AND role_id=? AND resource_id=?",
+ (str(resource.group.group_id), str(user.user_id),
+ str(role.role.role_id), str(resource.resource_id)))
+ return {
+ "resource": dictify(resource),
+ "user": dictify(user),
+ "role": dictify(role),
+ "description": (
+ f"The user '{user.name}'({user.email}) had the "
+ f"'{role.role.role_name}' role on resource with ID "
+ f"'{resource.resource_id}' taken away.")}
diff --git a/gn3/auth/authorisation/resources/views.py b/gn3/auth/authorisation/resources/views.py
index 6d4098a..220181e 100644
--- a/gn3/auth/authorisation/resources/views.py
+++ b/gn3/auth/authorisation/resources/views.py
@@ -10,8 +10,8 @@ from gn3.auth.db_utils import with_db_connection
from .checks import authorised_for
from .models import (
resource_by_id, resource_categories, assign_resource_user,
- link_data_to_resource, resource_category_by_id, unlink_data_from_resource,
- create_resource as _create_resource)
+ link_data_to_resource, unassign_resource_user, resource_category_by_id,
+ unlink_data_from_resource, create_resource as _create_resource)
from ..roles import Role
from ..errors import InvalidData, AuthorisationError
@@ -19,8 +19,8 @@ from ..groups.models import Group, GroupRole, group_role_by_id
from ... import db
from ...dictify import dictify
-from ...authentication.users import User, user_by_email
from ...authentication.oauth2.resource_server import require_oauth
+from ...authentication.users import User, user_by_id, user_by_email
resources = Blueprint("resources", __name__)
@@ -181,3 +181,26 @@ def assign_role_to_user(resource_id: uuid.UUID) -> Response:
raise AuthorisationError(aserr.args[0]) from aserr
return jsonify(with_db_connection(__assign__))
+
+@resources.route("<uuid:resource_id>/user/unassign", methods=["POST"])
+@require_oauth("profile group resource role")
+def unassign_role_to_user(resource_id: uuid.UUID) -> Response:
+ """Unassign a role on the specified resource from a user."""
+ with require_oauth.acquire("profile group resource role") as the_token:
+ try:
+ form = request.form
+ group_role_id = form.get("group_role_id", "")
+ user_id = form.get("user_id", "")
+ assert bool(group_role_id), "The role must be provided."
+ assert bool(user_id), "The user id must be provided."
+
+ def __assign__(conn: db.DbConnection) -> dict:
+ resource = resource_by_id(conn, the_token.user, resource_id)
+ return unassign_resource_user(
+ conn, resource, user_by_id(conn, uuid.UUID(user_id)),
+ group_role_by_id(conn, resource.group,
+ uuid.UUID(group_role_id)))
+ except AssertionError as aserr:
+ raise AuthorisationError(aserr.args[0]) from aserr
+
+ return jsonify(with_db_connection(__assign__))