Authorisation Check: New function to check user has edit access.

author: Frederick Muriuki Muriithi 2026-02-10 11:46:13 -0600
committer: Frederick Muriuki Muriithi 2026-02-10 11:46:13 -0600
commit: 6cd9f4b87d7956c505ed84e0c8be2c18c627df38 (patch)
tree: 40aaf171227e155c1ac3d62c331698ab960da10c
parent: 95e2c62795441f6361daa086f72917b6606eb68a (diff)
download: gn-auth-6cd9f4b87d7956c505ed84e0c8be2c18c627df38.tar.gz
1 files changed, 23 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/checks.py b/gn_auth/auth/authorisation/resources/checks.py
index 80e7f5b..f139179 100644
--- a/gn_auth/auth/authorisation/resources/checks.py
+++ b/gn_auth/auth/authorisation/resources/checks.py
@@ -177,3 +177,26 @@ def can_view(
             user_id,
             system_resource(conn).resource_id,
             "(OR system:system-wide:data:view system:resource:view)"))
+
+
+def can_edit(
+        conn: authdb.DbConnection,
+        user_id: uuid.UUID,
+        resource_id: uuid.UUID
+) -> bool:
+    """Check whether user is allowed edit a resource and/or its data."""
+    return (
+        authorised_for_spec(
+            # resource-level edit access: user has edit access to his resource.
+            conn,
+            user_id,
+            resource_id,
+            "(OR group:resource:edit-resource system:resource:edit)")
+        or
+        authorised_for_spec(
+            # system-wide edit access: user can edit any/all resource(s).
+            conn,
+            user_id,
+            system_resource(conn).resource_id,
+            "(OR system:system-wide:data:edit system:resource:edit)"))
+
author	Frederick Muriuki Muriithi	2026-02-10 11:46:13 -0600
committer	Frederick Muriuki Muriithi	2026-02-10 11:46:13 -0600
commit	6cd9f4b87d7956c505ed84e0c8be2c18c627df38 (patch)
tree	40aaf171227e155c1ac3d62c331698ab960da10c
parent	95e2c62795441f6361daa086f72917b6606eb68a (diff)
download	gn-auth-6cd9f4b87d7956c505ed84e0c8be2c18c627df38.tar.gz