diff options
author | Frederick Muriuki Muriithi | 2023-04-24 11:45:45 +0300 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2023-04-24 11:45:45 +0300 |
commit | 3e2198e39bc229553d118f367fbd2f9932a9a76b (patch) | |
tree | 8c388b14df38240a159358475ecf35f85b6d4d9c /gn3/auth/authorisation/users/models.py | |
parent | 993420e616e143684deb1c11565b6a8286cde37f (diff) | |
download | genenetwork3-3e2198e39bc229553d118f367fbd2f9932a9a76b.tar.gz |
auth: Return the actual privileges for the user
Previously, the `oauth2/data/authorisation` endpoint was returning hard-coded
values for the privileges assigned to the user for each resource. In this
change, we rework to return the actual privileges for the user.
Diffstat (limited to 'gn3/auth/authorisation/users/models.py')
-rw-r--r-- | gn3/auth/authorisation/users/models.py | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/gn3/auth/authorisation/users/models.py b/gn3/auth/authorisation/users/models.py index 844a8a9..8cfc1af 100644 --- a/gn3/auth/authorisation/users/models.py +++ b/gn3/auth/authorisation/users/models.py @@ -1,8 +1,11 @@ """Functions for acting on users.""" import uuid +from functools import reduce from gn3.auth import db +from gn3.auth.authorisation.roles.models import Role from gn3.auth.authorisation.checks import authorised_p +from gn3.auth.authorisation.privileges import Privilege from gn3.auth.authentication.users import User @@ -17,3 +20,47 @@ def list_users(conn: db.DbConnection) -> tuple[User, ...]: return tuple( User(uuid.UUID(row["user_id"]), row["email"], row["name"]) for row in cursor.fetchall()) + +def __build_resource_roles__(rows): + def __build_roles__(roles, row): + role_id = uuid.UUID(row["role_id"]) + priv = Privilege(row["privilege_id"], row["privilege_description"]) + role = roles.get(role_id, Role( + role_id, row["role_name"], tuple())) + return { + **roles, + role_id: Role(role_id, role.role_name, role.privileges + (priv,)) + } + def __build__(acc, row): + resource_id = uuid.UUID(row["resource_id"]) + return { + **acc, + resource_id: __build_roles__(acc.get(resource_id, {}), row) + } + return { + resource_id: tuple(roles.values()) + for resource_id, roles in reduce(__build__, rows, {}).items() + } + +# @authorised_p( +# ("",), +# ("You do not have the appropriate privileges to view a user's roles on " +# "resources.")) +def user_resource_roles(conn: db.DbConnection, user: User) -> dict[uuid.UUID, tuple[Role, ...]]: + """Fetch all the user's roles on resources.""" + with db.cursor(conn) as cursor: + cursor.execute( + "SELECT res.*, rls.*, p.*" + "FROM resources AS res INNER JOIN " + "group_user_roles_on_resources AS guror " + "ON res.resource_id=guror.resource_id " + "LEFT JOIN roles AS rls " + "ON guror.role_id=rls.role_id " + "LEFT JOIN role_privileges AS rp " + "ON rls.role_id=rp.role_id " + "LEFT JOIN privileges AS p " + "ON rp.privilege_id=p.privilege_id " + "WHERE guror.user_id = ?", + (str(user.user_id),)) + return __build_resource_roles__( + (dict(row) for row in cursor.fetchall())) |