diff options
Diffstat (limited to 'gn3/auth/authorisation')
| -rw-r--r-- | gn3/auth/authorisation/checks.py | 4 | ||||
| -rw-r--r-- | gn3/auth/authorisation/groups.py | 30 | ||||
| -rw-r--r-- | gn3/auth/authorisation/resources.py | 24 |
3 files changed, 51 insertions, 7 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py index 3181655..dd041fe 100644 --- a/gn3/auth/authorisation/checks.py +++ b/gn3/auth/authorisation/checks.py @@ -16,11 +16,11 @@ def authorised_p( def __build_authoriser__(func: Callable): @wraps(func) def __authoriser__(*args, **kwargs): - if hasattr(g, "user_id") and g.user_id: + if hasattr(g, "user") and g.user: with db.connection(app.config["AUTH_DB"]) as conn: user_privileges = tuple( priv.privilege_name for priv in - auth_privs.user_privileges(conn, g.user_id)) + auth_privs.user_privileges(conn, g.user)) not_assigned = [ priv for priv in privileges if priv not in user_privileges] diff --git a/gn3/auth/authorisation/groups.py b/gn3/auth/authorisation/groups.py index 7597a04..ac80089 100644 --- a/gn3/auth/authorisation/groups.py +++ b/gn3/auth/authorisation/groups.py @@ -2,12 +2,16 @@ from uuid import UUID, uuid4 from typing import Sequence, Iterable, NamedTuple +from flask import g +from pymonad.maybe import Just, Maybe, Nothing + from gn3.auth import db from gn3.auth.authentication.users import User +from gn3.auth.authentication.checks import authenticated_p +from .checks import authorised_p from .privileges import Privilege from .roles import Role, create_role -from .checks import authorised_p class Group(NamedTuple): """Class representing a group.""" @@ -75,3 +79,27 @@ def create_group_role( (str(group_role_id), str(group.group_id), str(role.role_id))) return GroupRole(group_role_id, role) + +@authenticated_p +def authenticated_user_group(conn) -> Maybe: + """ + Returns the currently authenticated user's group. + + Look into returning a Maybe object. + """ + user = g.user + with db.cursor(conn) as cursor: + cursor.execute( + ("SELECT groups.group_id, groups.group_name FROM group_users " + "INNER JOIN groups ON group_users.group_id=groups.group_id " + "WHERE group_users.user_id = ?"), + (str(user.user_id),)) + groups = tuple(Group(UUID(row[0]), row[1]) for row in cursor.fetchall()) + + if len(groups) > 1: + raise MembershipError(user, groups) + + if len(groups) == 1: + return Just(groups[0]) + + return Nothing diff --git a/gn3/auth/authorisation/resources.py b/gn3/auth/authorisation/resources.py index d01c435..f0a4b3a 100644 --- a/gn3/auth/authorisation/resources.py +++ b/gn3/auth/authorisation/resources.py @@ -1,10 +1,14 @@ """Handle the management of resources.""" -from uuid import UUID +from uuid import UUID, uuid4 from typing import NamedTuple from gn3.auth import db -from .groups import Group from .checks import authorised_p +from .exceptions import AuthorisationError +from .groups import Group, authenticated_user_group + +class MissingGroupError(AuthorisationError): + """Raised for any resource operation without a group.""" class ResourceCategory(NamedTuple): """Class representing a resource category.""" @@ -22,6 +26,18 @@ class Resource(NamedTuple): @authorised_p(("create-resource",), error_message="Could not create resource") def create_resource( conn: db.DbConnection, resource_name: str, - resource_category: ResourceCategory): + resource_category: ResourceCategory) -> Resource: """Create a resource item.""" - return tuple() + with db.cursor(conn) as cursor: + group = authenticated_user_group(conn).maybe(False, lambda val: val) + if not group: + raise MissingGroupError( + "User with no group cannot create a resource.") + resource = Resource(group, uuid4(), resource_name, resource_category) + cursor.execute( + ("INSERT INTO resources VALUES (?, ?, ?, ?)"), + (str(resource.group.group_id), str(resource.resource_id), + resource_name, + str(resource.resource_category.resource_category_id))) + + return resource |