aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-04-27 06:33:34 +0300
committerFrederick Muriuki Muriithi2023-04-27 06:46:48 +0300
commitf2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08 (patch)
tree0f103dd33c241d78ab5b5625f875527d18db92e5 /gn3/auth
parent12e9f87753d5ef0d3343a2a92a824f2ace696e4e (diff)
downloadgenenetwork3-f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08.tar.gz
auth: Retrieve `system:*` privileges from resource roles
With the assignment of `system:*` privileges to roles, we need to check for their existence when doing authorisation. This commit provides a hack for that, seeing as user groups (and the system itself) are not treated as resources, and therefore the way to fetch the privileges is not entirely consistent.
Diffstat (limited to 'gn3/auth')
-rw-r--r--gn3/auth/authorisation/checks.py23
1 files changed, 22 insertions, 1 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py
index 9b0af5f..0825c84 100644
--- a/gn3/auth/authorisation/checks.py
+++ b/gn3/auth/authorisation/checks.py
@@ -11,6 +11,25 @@ from .errors import AuthorisationError
from ..authentication.oauth2.resource_server import require_oauth
+def __system_privileges_in_roles__(conn, user):
+ """
+ This really is a hack since groups are not treated as resources at the
+ moment of writing this.
+
+ We need a way of allowing the user to have the system:group:* privileges.
+ """
+ query = (
+ "SELECT DISTINCT p.* FROM users AS u "
+ "INNER JOIN group_user_roles_on_resources AS guror "
+ "ON u.user_id=guror.user_id "
+ "INNER JOIN roles AS r ON guror.role_id=r.role_id "
+ "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id "
+ "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id "
+ "WHERE u.user_id=? AND p.privilege_id LIKE 'system:%'")
+ with db.cursor(conn) as cursor:
+ cursor.execute(query, (str(user.user_id),))
+ return (row["privilege_id"] for row in cursor.fetchall())
+
def authorised_p(
privileges: tuple[str, ...],
error_description: str = (
@@ -28,7 +47,9 @@ def authorised_p(
with db.connection(app.config["AUTH_DB"]) as conn:
user_privileges = tuple(
priv.privilege_id for priv in
- auth_privs.user_privileges(conn, the_user))
+ auth_privs.user_privileges(conn, the_user)) + tuple(
+ priv_id for priv_id in
+ __system_privileges_in_roles__(conn, the_user))
not_assigned = [
priv for priv in privileges if priv not in user_privileges]