Use more flexible check for authorisation.

Use the more flexible check for authorisation that a user has on a
specific resource.

2 files changed, 25 insertions, 8 deletions

diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py
index 63b3f12..3e45af3 100644
--- a/gn_auth/auth/authorisation/data/phenotypes.py
+++ b/gn_auth/auth/authorisation/data/phenotypes.py
@@ -8,8 +8,12 @@ from MySQLdb.cursors import DictCursor
 
 from gn_auth.auth.db import sqlite3 as authdb
 
+from gn_auth.auth.errors import AuthorisationError
 from gn_auth.auth.authorisation.checks import authorised_p
-from gn_auth.auth.authorisation.resources.groups.models import Group
+from gn_auth.auth.authorisation.resources.system.models import system_resource
+from gn_auth.auth.authorisation.resources.groups.models import Group, group_resource
+
+from gn_auth.auth.authorisation.resources.checks import authorised_for2
 
 def linked_phenotype_data(
         authconn: authdb.DbConnection, gn3conn: gn3db.Connection,
@@ -111,17 +115,26 @@ def pheno_traits_from_db(gn3conn: gn3db.Connection, params: tuple[dict, ...]) ->
         return cursor.fetchall()
 
 
-@authorised_p(("system:data:link-to-group",),
-              error_description=(
-                  "You do not have sufficient privileges to link data to (a) "
-                  "group(s)."),
-              oauth2_scope="profile group resource")
 def link_phenotype_data(
-        authconn:authdb.DbConnection,
+        authconn: authdb.DbConnection,
+        user,
         group: Group,
         traits: tuple[dict, ...]
 ) -> dict:
     """Link phenotype traits to a user group."""
+    if not (authorised_for2(authconn,
+                            user,
+                            system_resource(authconn),
+                            ("system:data:link-to-group",))
+            or
+            authorised_for2(authconn,
+                            user,
+                            group_resource(authconn, group.group_id),
+                            ("group:data:link-to-group",))
+            ):
+        raise AuthorisationError(
+            "You do not have sufficient privileges to link data to group "
+            f"'{group.group_name}'.")
     with authdb.cursor(authconn) as cursor:
         params = tuple({
             "data_link_id": str(uuid.uuid4()),
diff --git a/gn_auth/auth/authorisation/data/views.py b/gn_auth/auth/authorisation/data/views.py
index fc20e86..9123949 100644
--- a/gn_auth/auth/authorisation/data/views.py
+++ b/gn_auth/auth/authorisation/data/views.py
@@ -312,6 +312,7 @@ def link_mrna() -> Response:
         partial(__link__, **__values__(request_json()))))
 
 @data.route("/link/phenotype", methods=["POST"])
+@require_oauth("profile group resource")
 def link_phenotype() -> Response:
     """Link phenotype data to group."""
     def __values__(form):
@@ -331,7 +332,8 @@ def link_phenotype() -> Response:
             "using_raw_ids": bool(form.get("using-raw-ids") == "on")
         }
 
-    with gn3db.database_connection(app.config["SQL_URI"]) as gn3conn:
+    with (require_oauth.acquire("profile group resource") as token,
+          gn3db.database_connection(app.config["SQL_URI"]) as gn3conn):
         def __link__(
                 conn: db.DbConnection,
                 group_id: uuid.UUID,
@@ -340,9 +342,11 @@ def link_phenotype() -> Response:
         ) -> dict:
             if using_raw_ids:
                 return link_phenotype_data(conn,
+                                           token.user,
                                            group_by_id(conn, group_id),
                                            traits)
             return link_phenotype_data(conn,
+                                       token.user,
                                        group_by_id(conn, group_id),
                                        pheno_traits_from_db(gn3conn, traits))