From 8471ed1187a8abc5e28207776c5f49a59ba24b92 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Tue, 25 Apr 2023 09:42:36 +0300 Subject: auth: Roles: Check for editability Some roles should not be user-editable, and as such, we need to check before allowing any edits on such roles. This commit makes that possible. --- gn3/auth/authorisation/groups/models.py | 21 ++++++++++++++++----- gn3/auth/authorisation/groups/views.py | 1 + 2 files changed, 17 insertions(+), 5 deletions(-) (limited to 'gn3/auth/authorisation/groups') diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py index bbe4ad6..accf2f2 100644 --- a/gn3/auth/authorisation/groups/models.py +++ b/gn3/auth/authorisation/groups/models.py @@ -15,7 +15,8 @@ from ..checks import authorised_p from ..privileges import Privilege from ..errors import NotFoundError, AuthorisationError, InconsistencyError from ..roles.models import ( - Role, create_role, revoke_user_role_by_name, assign_user_role_by_name) + Role, create_role, check_user_editable, revoke_user_role_by_name, + assign_user_role_by_name) class Group(NamedTuple): """Class representing a group.""" @@ -312,13 +313,19 @@ def __organise_privileges__(acc, row): if role: return { **acc, - role_id: Role(role.role_id, role.role_name, role.privileges + ( - Privilege(row["privilege_id"], row["privilege_description"]),)) + role_id: Role( + role.role_id, role.role_name, + bool(int(row["user_editable"])), + role.privileges + ( + Privilege(row["privilege_id"], + row["privilege_description"]),)) } return { **acc, - role_id: Role(UUID(row["role_id"]), row["role_name"], ( - Privilege(row["privilege_id"], row["privilege_description"]),)) + role_id: Role( + UUID(row["role_id"]), row["role_name"], + bool(int(row["user_editable"])), + (Privilege(row["privilege_id"], row["privilege_description"]),)) } # @authorised_p(("group:role:view",), @@ -351,6 +358,7 @@ def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, privilege: Privilege) -> GroupRole: """Add `privilege` to `group_role`.""" ## TODO: do privileges check. + check_user_editable(group_role.role) with db.cursor(conn) as cursor: cursor.execute( "INSERT INTO role_privileges(role_id,privilege_id) " @@ -362,12 +370,14 @@ def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, group_role.group, Role(group_role.role.role_id, group_role.role.role_name, + group_role.role.user_editable, group_role.role.privileges + (privilege,))) def delete_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, privilege: Privilege) -> GroupRole: """Delete `privilege` to `group_role`.""" ## TODO: do privileges check. + check_user_editable(group_role.role) with db.cursor(conn) as cursor: cursor.execute( "DELETE FROM role_privileges WHERE " @@ -378,5 +388,6 @@ def delete_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole, group_role.group, Role(group_role.role.role_id, group_role.role.role_name, + group_role.role.user_editable, tuple(priv for priv in group_role.role.privileges if priv != privilege))) diff --git a/gn3/auth/authorisation/groups/views.py b/gn3/auth/authorisation/groups/views.py index 9e717a9..3f4ced0 100644 --- a/gn3/auth/authorisation/groups/views.py +++ b/gn3/auth/authorisation/groups/views.py @@ -298,6 +298,7 @@ def group_roles(): group, Role(uuid.UUID(row["role_id"]), row["role_name"], + bool(int(row["user_editable"])), tuple())) for row in cursor.fetchall()) return jsonify(tuple( -- cgit v1.2.3