Authorisation Check: New function to check user has delete access.

1 files changed, 22 insertions, 0 deletions

diff --git a/gn_auth/auth/authorisation/resources/checks.py b/gn_auth/auth/authorisation/resources/checks.py
index 59bf90c..225468c 100644
--- a/gn_auth/auth/authorisation/resources/checks.py
+++ b/gn_auth/auth/authorisation/resources/checks.py
@@ -5,6 +5,7 @@ import warnings
 from functools import reduce
 from typing import Sequence
 
+import gn_libs.sqlite3 as authdb
 from gn_libs.privileges import check
 
 from .base import Resource
@@ -12,6 +13,7 @@ from .base import Resource
 from ...db import sqlite3 as db
 from ...authentication.users import User
 
+from ..system.models import system_resource
 from ..privileges.models import db_row_to_privilege
 
 
@@ -125,3 +127,23 @@ def authorised_for_spec(
             (str(resource_id), str(user_id)))
         _privileges = tuple(row["privilege_id"] for row in cursor.fetchall())
     return check(auth_spec, _privileges)
+
+
+def can_delete(
+        conn: authdb.DbConnection,
+        user_id: uuid.UUID,
+        resource_id: uuid.UUID
+) -> bool:
+    """Check whether user is allowed delete a resource and/or its data."""
+    return (
+        authorised_for_spec(# resource-level delete access
+            conn,
+            user_id,
+            resource_id,
+            "(OR group:resource:delete-resource system:resource:delete)")
+        or
+        authorised_for_spec(# system-wide delete access
+            conn,
+            user_id,
+            system_resource(conn).resource_id,
+            "(AND system:system-wide:data:delete)"))