diff options
Diffstat (limited to 'gn3/auth/authorisation')
| -rw-r--r-- | gn3/auth/authorisation/resources/models.py | 23 | ||||
| -rw-r--r-- | gn3/auth/authorisation/resources/views.py | 29 |
2 files changed, 49 insertions, 3 deletions
diff --git a/gn3/auth/authorisation/resources/models.py b/gn3/auth/authorisation/resources/models.py index 0a5b1ec..d0dd2f4 100644 --- a/gn3/auth/authorisation/resources/models.py +++ b/gn3/auth/authorisation/resources/models.py @@ -505,3 +505,26 @@ def assign_resource_user( f"The user '{user.name}'({user.email}) was assigned the " f"'{role.role.role_name}' role on resource with ID " f"'{resource.resource_id}'.")} + +@authorised_p( + ("group:user:assign-role",), + "You cannot assign roles to users for this group.", + oauth2_scope="profile group role resource") +def unassign_resource_user( + conn: db.DbConnection, resource: Resource, user: User, + role: GroupRole) -> dict: + """Assign `role` to `user` for the specific `resource`.""" + with db.cursor(conn) as cursor: + cursor.execute( + "DELETE FROM group_user_roles_on_resources " + "WHERE group_id=? AND user_id=? AND role_id=? AND resource_id=?", + (str(resource.group.group_id), str(user.user_id), + str(role.role.role_id), str(resource.resource_id))) + return { + "resource": dictify(resource), + "user": dictify(user), + "role": dictify(role), + "description": ( + f"The user '{user.name}'({user.email}) had the " + f"'{role.role.role_name}' role on resource with ID " + f"'{resource.resource_id}' taken away.")} diff --git a/gn3/auth/authorisation/resources/views.py b/gn3/auth/authorisation/resources/views.py index 6d4098a..220181e 100644 --- a/gn3/auth/authorisation/resources/views.py +++ b/gn3/auth/authorisation/resources/views.py @@ -10,8 +10,8 @@ from gn3.auth.db_utils import with_db_connection from .checks import authorised_for from .models import ( resource_by_id, resource_categories, assign_resource_user, - link_data_to_resource, resource_category_by_id, unlink_data_from_resource, - create_resource as _create_resource) + link_data_to_resource, unassign_resource_user, resource_category_by_id, + unlink_data_from_resource, create_resource as _create_resource) from ..roles import Role from ..errors import InvalidData, AuthorisationError @@ -19,8 +19,8 @@ from ..groups.models import Group, GroupRole, group_role_by_id from ... import db from ...dictify import dictify -from ...authentication.users import User, user_by_email from ...authentication.oauth2.resource_server import require_oauth +from ...authentication.users import User, user_by_id, user_by_email resources = Blueprint("resources", __name__) @@ -181,3 +181,26 @@ def assign_role_to_user(resource_id: uuid.UUID) -> Response: raise AuthorisationError(aserr.args[0]) from aserr return jsonify(with_db_connection(__assign__)) + +@resources.route("<uuid:resource_id>/user/unassign", methods=["POST"]) +@require_oauth("profile group resource role") +def unassign_role_to_user(resource_id: uuid.UUID) -> Response: + """Unassign a role on the specified resource from a user.""" + with require_oauth.acquire("profile group resource role") as the_token: + try: + form = request.form + group_role_id = form.get("group_role_id", "") + user_id = form.get("user_id", "") + assert bool(group_role_id), "The role must be provided." + assert bool(user_id), "The user id must be provided." + + def __assign__(conn: db.DbConnection) -> dict: + resource = resource_by_id(conn, the_token.user, resource_id) + return unassign_resource_user( + conn, resource, user_by_id(conn, uuid.UUID(user_id)), + group_role_by_id(conn, resource.group, + uuid.UUID(group_role_id))) + except AssertionError as aserr: + raise AuthorisationError(aserr.args[0]) from aserr + + return jsonify(with_db_connection(__assign__)) |