diff options
author | Frederick Muriuki Muriithi | 2023-04-27 06:33:34 +0300 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2023-04-27 06:46:48 +0300 |
commit | f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08 (patch) | |
tree | 0f103dd33c241d78ab5b5625f875527d18db92e5 /gn3/auth | |
parent | 12e9f87753d5ef0d3343a2a92a824f2ace696e4e (diff) | |
download | genenetwork3-f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08.tar.gz |
auth: Retrieve `system:*` privileges from resource roles
With the assignment of `system:*` privileges to roles, we need to check for
their existence when doing authorisation.
This commit provides a hack for that, seeing as user groups (and the system
itself) are not treated as resources, and therefore the way to fetch the
privileges is not entirely consistent.
Diffstat (limited to 'gn3/auth')
-rw-r--r-- | gn3/auth/authorisation/checks.py | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py index 9b0af5f..0825c84 100644 --- a/gn3/auth/authorisation/checks.py +++ b/gn3/auth/authorisation/checks.py @@ -11,6 +11,25 @@ from .errors import AuthorisationError from ..authentication.oauth2.resource_server import require_oauth +def __system_privileges_in_roles__(conn, user): + """ + This really is a hack since groups are not treated as resources at the + moment of writing this. + + We need a way of allowing the user to have the system:group:* privileges. + """ + query = ( + "SELECT DISTINCT p.* FROM users AS u " + "INNER JOIN group_user_roles_on_resources AS guror " + "ON u.user_id=guror.user_id " + "INNER JOIN roles AS r ON guror.role_id=r.role_id " + "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id " + "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id " + "WHERE u.user_id=? AND p.privilege_id LIKE 'system:%'") + with db.cursor(conn) as cursor: + cursor.execute(query, (str(user.user_id),)) + return (row["privilege_id"] for row in cursor.fetchall()) + def authorised_p( privileges: tuple[str, ...], error_description: str = ( @@ -28,7 +47,9 @@ def authorised_p( with db.connection(app.config["AUTH_DB"]) as conn: user_privileges = tuple( priv.privilege_id for priv in - auth_privs.user_privileges(conn, the_user)) + auth_privs.user_privileges(conn, the_user)) + tuple( + priv_id for priv_id in + __system_privileges_in_roles__(conn, the_user)) not_assigned = [ priv for priv in privileges if priv not in user_privileges] |