From 0e96276a56e3a3fdf61d9f409eaac37072bdd292 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Thu, 27 Apr 2023 05:43:52 +0300 Subject: auth: Add authorisation checks for role editting. --- gn3/auth/authorisation/groups/models.py | 11 +++++++++-- gn3/auth/authorisation/groups/views.py | 4 ++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py index accf2f2..ea629e0 100644 --- a/gn3/auth/authorisation/groups/models.py +++ b/gn3/auth/authorisation/groups/models.py @@ -354,6 +354,9 @@ def group_role_by_id( raise NotFoundError( f"Group role with ID '{group_role_id}' does not exist.") +@authorised_p(("group:role:edit-role",), + "You do not have the privilege to edit a role.", + oauth2_scope="profile group role") def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, privilege: Privilege) -> GroupRole: """Add `privilege` to `group_role`.""" @@ -373,8 +376,12 @@ def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, group_role.role.user_editable, group_role.role.privileges + (privilege,))) -def delete_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, - privilege: Privilege) -> GroupRole: +@authorised_p(("group:role:edit-role",), + "You do not have the privilege to edit a role.", + oauth2_scope="profile group role") +def delete_privilege_from_group_role( + conn: db.DbConnection, group_role: GroupRole, + privilege: Privilege) -> GroupRole: """Delete `privilege` to `group_role`.""" ## TODO: do privileges check. check_user_editable(group_role.role) diff --git a/gn3/auth/authorisation/groups/views.py b/gn3/auth/authorisation/groups/views.py index 3f4ced0..3aa54eb 100644 --- a/gn3/auth/authorisation/groups/views.py +++ b/gn3/auth/authorisation/groups/views.py @@ -19,7 +19,7 @@ from .models import ( join_requests, group_role_by_id, GroupCreationError, accept_reject_join_request, group_users as _group_users, create_group as _create_group, add_privilege_to_group_role, - delete_privilege_to_group_role, create_group_role as _create_group_role) + delete_privilege_from_group_role, create_group_role as _create_group_role) from ..roles.models import Role from ..checks import authorised_p @@ -392,7 +392,7 @@ def __add_remove_priv_to_from_role__(conn: db.DbConnection, raise NotFoundError("Privilege not found.") dir_fns = { "ADD": add_privilege_to_group_role, - "DELETE": delete_privilege_to_group_role + "DELETE": delete_privilege_from_group_role } return dir_fns[direction]( conn, -- cgit v1.2.3