aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authorisation/groups
diff options
context:
space:
mode:
Diffstat (limited to 'gn3/auth/authorisation/groups')
-rw-r--r--gn3/auth/authorisation/groups/models.py11
-rw-r--r--gn3/auth/authorisation/groups/views.py4
2 files changed, 11 insertions, 4 deletions
diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py
index accf2f2..ea629e0 100644
--- a/gn3/auth/authorisation/groups/models.py
+++ b/gn3/auth/authorisation/groups/models.py
@@ -354,6 +354,9 @@ def group_role_by_id(
raise NotFoundError(
f"Group role with ID '{group_role_id}' does not exist.")
+@authorised_p(("group:role:edit-role",),
+ "You do not have the privilege to edit a role.",
+ oauth2_scope="profile group role")
def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
privilege: Privilege) -> GroupRole:
"""Add `privilege` to `group_role`."""
@@ -373,8 +376,12 @@ def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
group_role.role.user_editable,
group_role.role.privileges + (privilege,)))
-def delete_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
- privilege: Privilege) -> GroupRole:
+@authorised_p(("group:role:edit-role",),
+ "You do not have the privilege to edit a role.",
+ oauth2_scope="profile group role")
+def delete_privilege_from_group_role(
+ conn: db.DbConnection, group_role: GroupRole,
+ privilege: Privilege) -> GroupRole:
"""Delete `privilege` to `group_role`."""
## TODO: do privileges check.
check_user_editable(group_role.role)
diff --git a/gn3/auth/authorisation/groups/views.py b/gn3/auth/authorisation/groups/views.py
index 3f4ced0..3aa54eb 100644
--- a/gn3/auth/authorisation/groups/views.py
+++ b/gn3/auth/authorisation/groups/views.py
@@ -19,7 +19,7 @@ from .models import (
join_requests, group_role_by_id, GroupCreationError,
accept_reject_join_request, group_users as _group_users,
create_group as _create_group, add_privilege_to_group_role,
- delete_privilege_to_group_role, create_group_role as _create_group_role)
+ delete_privilege_from_group_role, create_group_role as _create_group_role)
from ..roles.models import Role
from ..checks import authorised_p
@@ -392,7 +392,7 @@ def __add_remove_priv_to_from_role__(conn: db.DbConnection,
raise NotFoundError("Privilege not found.")
dir_fns = {
"ADD": add_privilege_to_group_role,
- "DELETE": delete_privilege_to_group_role
+ "DELETE": delete_privilege_from_group_role
}
return dir_fns[direction](
conn,