aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth
diff options
context:
space:
mode:
Diffstat (limited to 'gn3/auth')
-rw-r--r--gn3/auth/authorisation/checks.py23
1 files changed, 22 insertions, 1 deletions
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py
index 9b0af5f..0825c84 100644
--- a/gn3/auth/authorisation/checks.py
+++ b/gn3/auth/authorisation/checks.py
@@ -11,6 +11,25 @@ from .errors import AuthorisationError
from ..authentication.oauth2.resource_server import require_oauth
+def __system_privileges_in_roles__(conn, user):
+ """
+ This really is a hack since groups are not treated as resources at the
+ moment of writing this.
+
+ We need a way of allowing the user to have the system:group:* privileges.
+ """
+ query = (
+ "SELECT DISTINCT p.* FROM users AS u "
+ "INNER JOIN group_user_roles_on_resources AS guror "
+ "ON u.user_id=guror.user_id "
+ "INNER JOIN roles AS r ON guror.role_id=r.role_id "
+ "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id "
+ "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id "
+ "WHERE u.user_id=? AND p.privilege_id LIKE 'system:%'")
+ with db.cursor(conn) as cursor:
+ cursor.execute(query, (str(user.user_id),))
+ return (row["privilege_id"] for row in cursor.fetchall())
+
def authorised_p(
privileges: tuple[str, ...],
error_description: str = (
@@ -28,7 +47,9 @@ def authorised_p(
with db.connection(app.config["AUTH_DB"]) as conn:
user_privileges = tuple(
priv.privilege_id for priv in
- auth_privs.user_privileges(conn, the_user))
+ auth_privs.user_privileges(conn, the_user)) + tuple(
+ priv_id for priv_id in
+ __system_privileges_in_roles__(conn, the_user))
not_assigned = [
priv for priv in privileges if priv not in user_privileges]