From ecce454ca9d0f374e22da8401206e3b1695dbded Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Thu, 2 Feb 2023 14:15:29 +0300 Subject: auth: Improve authorisation Retrieve the token, and user in the authorisation decorator to enable checking of privileges. --- gn3/auth/authorisation/groups/models.py | 43 ++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 20 deletions(-) (limited to 'gn3/auth/authorisation/groups') diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py index 0750419..c5c9370 100644 --- a/gn3/auth/authorisation/groups/models.py +++ b/gn3/auth/authorisation/groups/models.py @@ -51,10 +51,10 @@ class MembershipError(AuthorisationError): def __init__(self, user: User, groups: Sequence[Group]): """Initialise the `MembershipError` exception object.""" groups_str = ", ".join(group.group_name for group in groups) - error_message = ( + error_description = ( f"User '{user.name} ({user.email})' is a member of {len(groups)} " f"groups ({groups_str})") - super().__init__(f"{type(self).__name__}: {error_message}.") + super().__init__(f"{type(self).__name__}: {error_description}.") def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]: """Returns all the groups that a member belongs to""" @@ -70,6 +70,12 @@ def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]: return groups +@authorised_p( + privileges = ("system:group:create-group",), + error_description = ( + "You do not have the appropriate privileges to enable you to " + "create a new group."), + oauth2_scope = "profile group") def create_group( conn: db.DbConnection, group_name: str, group_leader: User, group_description: Optional[str] = None) -> Group: @@ -78,26 +84,18 @@ def create_group( if len(user_groups) > 0: raise MembershipError(group_leader, user_groups) - @authorised_p( - ("system:group:create-group",), ( - "You do not have the appropriate privileges to enable you to " - "create a new group."), - group_leader) - def __create_group__(): - with db.cursor(conn) as cursor: - new_group = __save_group__( - cursor, group_name,( - {"group_description": group_description} - if group_description else {})) - add_user_to_group(cursor, new_group, group_leader) - revoke_user_role_by_name(cursor, group_leader, "group-creator") - assign_user_role_by_name(cursor, group_leader, "group-leader") - return new_group - - return __create_group__() + with db.cursor(conn) as cursor: + new_group = __save_group__( + cursor, group_name,( + {"group_description": group_description} + if group_description else {})) + add_user_to_group(cursor, new_group, group_leader) + revoke_user_role_by_name(cursor, group_leader, "group-creator") + assign_user_role_by_name(cursor, group_leader, "group-leader") + return new_group @authorised_p(("group:role:create-role",), - error_message="Could not create the group role") + error_description="Could not create the group role") def create_group_role( conn: db.DbConnection, group: Group, role_name: str, privileges: Iterable[Privilege]) -> GroupRole: @@ -210,6 +208,11 @@ def add_user_to_group(cursor: db.DbCursor, the_group: Group, user: User): "ON CONFLICT (group_id, user_id) DO NOTHING"), {"group_id": str(the_group.group_id), "user_id": str(user.user_id)}) +@authorised_p( + privileges = ("system:group:view-group",), + error_description = ( + "You do not have the appropriate privileges to access the list of users" + " in the group.")) def group_users(conn: db.DbConnection, group_id: UUID) -> Iterable[User]: """Retrieve all users that are members of group with id `group_id`.""" with db.cursor(conn) as cursor: -- cgit v1.2.3