about summary refs log tree commit diff
path: root/gn3/auth/authorisation/users/models.py
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-04-24 11:45:45 +0300
committerFrederick Muriuki Muriithi2023-04-24 11:45:45 +0300
commit3e2198e39bc229553d118f367fbd2f9932a9a76b (patch)
tree8c388b14df38240a159358475ecf35f85b6d4d9c /gn3/auth/authorisation/users/models.py
parent993420e616e143684deb1c11565b6a8286cde37f (diff)
downloadgenenetwork3-3e2198e39bc229553d118f367fbd2f9932a9a76b.tar.gz
auth: Return the actual privileges for the user
Previously, the `oauth2/data/authorisation` endpoint was returning hard-coded
values for the privileges assigned to the user for each resource. In this
change, we rework to return the actual privileges for the user.
Diffstat (limited to 'gn3/auth/authorisation/users/models.py')
-rw-r--r--gn3/auth/authorisation/users/models.py47
1 files changed, 47 insertions, 0 deletions
diff --git a/gn3/auth/authorisation/users/models.py b/gn3/auth/authorisation/users/models.py
index 844a8a9..8cfc1af 100644
--- a/gn3/auth/authorisation/users/models.py
+++ b/gn3/auth/authorisation/users/models.py
@@ -1,8 +1,11 @@
 """Functions for acting on users."""
 import uuid
+from functools import reduce
 
 from gn3.auth import db
+from gn3.auth.authorisation.roles.models import Role
 from gn3.auth.authorisation.checks import authorised_p
+from gn3.auth.authorisation.privileges import Privilege
 
 from gn3.auth.authentication.users import User
 
@@ -17,3 +20,47 @@ def list_users(conn: db.DbConnection) -> tuple[User, ...]:
         return tuple(
             User(uuid.UUID(row["user_id"]), row["email"], row["name"])
             for row in cursor.fetchall())
+
+def __build_resource_roles__(rows):
+    def __build_roles__(roles, row):
+        role_id = uuid.UUID(row["role_id"])
+        priv = Privilege(row["privilege_id"], row["privilege_description"])
+        role = roles.get(role_id, Role(
+            role_id, row["role_name"], tuple()))
+        return {
+            **roles,
+            role_id: Role(role_id, role.role_name, role.privileges + (priv,))
+        }
+    def __build__(acc, row):
+        resource_id = uuid.UUID(row["resource_id"])
+        return {
+            **acc,
+            resource_id: __build_roles__(acc.get(resource_id, {}), row)
+        }
+    return {
+        resource_id: tuple(roles.values())
+        for resource_id, roles in reduce(__build__, rows, {}).items()
+    }
+
+# @authorised_p(
+#     ("",),
+#     ("You do not have the appropriate privileges to view a user's roles on "
+#      "resources."))
+def user_resource_roles(conn: db.DbConnection, user: User) -> dict[uuid.UUID, tuple[Role, ...]]:
+    """Fetch all the user's roles on resources."""
+    with db.cursor(conn) as cursor:
+        cursor.execute(
+            "SELECT res.*, rls.*, p.*"
+            "FROM resources AS res INNER JOIN "
+            "group_user_roles_on_resources AS guror "
+            "ON res.resource_id=guror.resource_id "
+            "LEFT JOIN roles AS rls "
+            "ON guror.role_id=rls.role_id "
+            "LEFT JOIN role_privileges AS rp "
+            "ON rls.role_id=rp.role_id "
+            "LEFT JOIN privileges AS p "
+            "ON rp.privilege_id=p.privilege_id "
+            "WHERE guror.user_id = ?",
+            (str(user.user_id),))
+        return __build_resource_roles__(
+            (dict(row) for row in cursor.fetchall()))