diff options
Diffstat (limited to 'gn3/auth/authorisation/checks.py')
| -rw-r--r-- | gn3/auth/authorisation/checks.py | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py index 8fef209..6579afc 100644 --- a/gn3/auth/authorisation/checks.py +++ b/gn3/auth/authorisation/checks.py @@ -10,29 +10,32 @@ from . import privileges as auth_privs from .errors import AuthorisationError from ..authentication.users import User +from ..authentication.oauth2.resource_server import require_oauth def authorised_p( privileges: tuple[str], - error_message: str = ( + error_description: str = ( "You lack authorisation to perform requested action"), - user: Optional[User] = None): + oauth2_scope = "profile"): """Authorisation decorator.""" assert len(privileges) > 0, "You must provide at least one privilege" def __build_authoriser__(func: Callable): @wraps(func) def __authoriser__(*args, **kwargs): - the_user = user or (hasattr(g, "user") and g.user) - if the_user: - with db.connection(app.config["AUTH_DB"]) as conn: - user_privileges = tuple( - priv.privilege_id for priv in - auth_privs.user_privileges(conn, the_user)) + # the_user = user or (hasattr(g, "user") and g.user) + with require_oauth.acquire(oauth2_scope) as the_token: + the_user = the_token.user + if the_user: + with db.connection(app.config["AUTH_DB"]) as conn: + user_privileges = tuple( + priv.privilege_id for priv in + auth_privs.user_privileges(conn, the_user)) - not_assigned = [ - priv for priv in privileges if priv not in user_privileges] - if len(not_assigned) == 0: - return func(*args, **kwargs) + not_assigned = [ + priv for priv in privileges if priv not in user_privileges] + if len(not_assigned) == 0: + return func(*args, **kwargs) - raise AuthorisationError(error_message) + raise AuthorisationError(error_message) return __authoriser__ return __build_authoriser__ |