2 files changed, 11 insertions, 4 deletions

diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py
index accf2f2..ea629e0 100644
--- a/gn3/auth/authorisation/groups/models.py
+++ b/gn3/auth/authorisation/groups/models.py
@@ -354,6 +354,9 @@ def group_role_by_id(
         raise NotFoundError(
             f"Group role with ID '{group_role_id}' does not exist.")
 
+@authorised_p(("group:role:edit-role",),
+              "You do not have the privilege to edit a role.",
+              oauth2_scope="profile group role")
 def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
                                 privilege: Privilege) -> GroupRole:
     """Add `privilege` to `group_role`."""
@@ -373,8 +376,12 @@ def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
                  group_role.role.user_editable,
                  group_role.role.privileges + (privilege,)))
 
-def delete_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
-                                   privilege: Privilege) -> GroupRole:
+@authorised_p(("group:role:edit-role",),
+              "You do not have the privilege to edit a role.",
+              oauth2_scope="profile group role")
+def delete_privilege_from_group_role(
+        conn: db.DbConnection, group_role: GroupRole,
+        privilege: Privilege) -> GroupRole:
     """Delete `privilege` to `group_role`."""
     ## TODO: do privileges check.
     check_user_editable(group_role.role)
diff --git a/gn3/auth/authorisation/groups/views.py b/gn3/auth/authorisation/groups/views.py
index 3f4ced0..3aa54eb 100644
--- a/gn3/auth/authorisation/groups/views.py
+++ b/gn3/auth/authorisation/groups/views.py
@@ -19,7 +19,7 @@ from .models import (
     join_requests, group_role_by_id, GroupCreationError,
     accept_reject_join_request, group_users as _group_users,
     create_group as _create_group, add_privilege_to_group_role,
-    delete_privilege_to_group_role, create_group_role as _create_group_role)
+    delete_privilege_from_group_role, create_group_role as _create_group_role)
 
 from ..roles.models import Role
 from ..checks import authorised_p
@@ -392,7 +392,7 @@ def __add_remove_priv_to_from_role__(conn: db.DbConnection,
             raise NotFoundError("Privilege not found.")
         dir_fns = {
             "ADD": add_privilege_to_group_role,
-            "DELETE": delete_privilege_to_group_role
+            "DELETE": delete_privilege_from_group_role
         }
         return dir_fns[direction](
             conn,