aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authorisation
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-01-11 11:20:36 +0300
committerFrederick Muriuki Muriithi2023-01-11 11:20:36 +0300
commit53371fb668d1d18ba4696b3e4739f26edd677d8d (patch)
tree1bdc74e65ed1c49de6414949d0a02e5cb05f7d75 /gn3/auth/authorisation
parent1b28c4043b4e1199920bc848d752bcc154314842 (diff)
downloadgenenetwork3-53371fb668d1d18ba4696b3e4739f26edd677d8d.tar.gz
auth: assign default role. separate group creation from group admin
A newly registered user will have the ability to create a group. Once a user is a member of a group, either by creating a new group, or being added to a group, they should not be able to create any more groups, i.e. they lose the 'create-group' (and/or equivalent) privileges. This means that the group-administration privileges should be separated from the group-creation privilege. * gn3/auth/authorisation/roles.py: assign default roles to user on registration * gn3/auth/authorisation/views.py: assign default roles to user on registration * migrations/auth/20230111_01_Wd6IZ-remove-create-group-privilege-from-group-leader.py: separate group-creation role from group-administration role. * tests/unit/auth/fixtures/user_fixtures.py: Add group-creation role to test user * tests/unit/auth/test_roles.py: Add the group-creation role explicitly in the expected results for the test
Diffstat (limited to 'gn3/auth/authorisation')
-rw-r--r--gn3/auth/authorisation/roles.py13
-rw-r--r--gn3/auth/authorisation/views.py5
2 files changed, 16 insertions, 2 deletions
diff --git a/gn3/auth/authorisation/roles.py b/gn3/auth/authorisation/roles.py
index 562d3bc..6602c9f 100644
--- a/gn3/auth/authorisation/roles.py
+++ b/gn3/auth/authorisation/roles.py
@@ -83,3 +83,16 @@ def user_roles(conn: db.DbConnection, user: User):
return tuple(
reduce(__organise_privileges__, results, {}).values())
return tuple()
+
+def assign_default_roles(cursor: db.DbCursor, user: User):
+ """Assign `user` some default roles."""
+ cursor.execute(
+ 'SELECT role_id FROM roles WHERE role_name IN '
+ '("group-creator")')
+ role_ids = cursor.fetchall()
+ str_user_id = str(user.user_id)
+ params = (
+ {"user_id": str_user_id, "role_id": role_id} for role_id in role_ids)
+ cursor.executemany(
+ ("INSERT INTO user_roles VALUES (:user_id, :role_id)"),
+ params)
diff --git a/gn3/auth/authorisation/views.py b/gn3/auth/authorisation/views.py
index 6ac3be0..2c47bd9 100644
--- a/gn3/auth/authorisation/views.py
+++ b/gn3/auth/authorisation/views.py
@@ -7,10 +7,10 @@ from gn3.auth.blueprint import oauth2
from .groups import user_group
from .errors import UserRegistrationError
-from .roles import user_roles as _user_roles
+from .roles import assign_default_roles, user_roles as _user_roles
from ..authentication.oauth2.resource_server import require_oauth
-from ..authentication.users import User, save_user, set_user_password
+from ..authentication.users import save_user, set_user_password
from ..authentication.oauth2.models.oauth2token import token_by_access_token
@oauth2.route("/user", methods=["GET"])
@@ -95,6 +95,7 @@ def register_user():
with db.cursor(conn) as cursor:
user, _hashed_password = set_user_password(
cursor, save_user(cursor, email, user_name), password)
+ assign_default_roles(cursor, user)
return jsonify(
{
"user_id": user.user_id,