aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-06-11 11:20:34 -0500
committerFrederick Muriuki Muriithi2024-06-11 11:25:00 -0500
commita060c0d277300d5fda06772bf95e1456159111e2 (patch)
tree2c309fd859743ce16b509feef0c3bb9cd083aec0
parentd2b388bb1b7ab7d693a29dc172256d79f5bea1eb (diff)
downloadgn-auth-a060c0d277300d5fda06772bf95e1456159111e2.tar.gz
List users assigned a particular role on a specific resource.handle-role-privilege-escalation
-rw-r--r--gn_auth/auth/authorisation/resources/views.py18
1 files changed, 18 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py
index f0413e8..4c8411f 100644
--- a/gn_auth/auth/authorisation/resources/views.py
+++ b/gn_auth/auth/authorisation/resources/views.py
@@ -535,3 +535,21 @@ def unassign_resource_role_privilege(resource_id: UUID, role_id: UUID):
"status": "Success",
"message": "Privilege was unassigned."
}), 200
+
+
+@resources.route("/<uuid:resource_id>/role/<uuid:role_id>/users",
+ methods=["GET"])
+@require_oauth("profile group resource")
+def resource_role_users(resource_id: UUID, role_id: UUID):
+ """Retrieve users assigned role on resource."""
+ with (require_oauth.acquire("profile group resource") as _token,
+ db.connection(app.config["AUTH_DB"]) as conn,
+ db.cursor(conn) as cursor):
+ # MAYBE: check user has something like resource:role:view-users
+ cursor.execute(
+ "SELECT u.* FROM user_roles AS ur INNER JOIN users AS u "
+ "ON ur.user_id=u.user_id WHERE ur.resource_id=? AND ur.role_id=?",
+ (str(resource_id), str(role_id)))
+ results = cursor.fetchall() or []
+
+ return jsonify(tuple(User.from_sqlite3_row(row) for row in results)), 200