Use more flexible check for authorisation.

Use the more flexible check for authorisation that a user has on a
specific resource.

1 files changed, 5 insertions, 1 deletions

diff --git a/gn_auth/auth/authorisation/data/views.py b/gn_auth/auth/authorisation/data/views.py
index fc20e86..9123949 100644
--- a/gn_auth/auth/authorisation/data/views.py
+++ b/gn_auth/auth/authorisation/data/views.py
@@ -312,6 +312,7 @@ def link_mrna() -> Response:
         partial(__link__, **__values__(request_json()))))
 
 @data.route("/link/phenotype", methods=["POST"])
+@require_oauth("profile group resource")
 def link_phenotype() -> Response:
     """Link phenotype data to group."""
     def __values__(form):
@@ -331,7 +332,8 @@ def link_phenotype() -> Response:
             "using_raw_ids": bool(form.get("using-raw-ids") == "on")
         }
 
-    with gn3db.database_connection(app.config["SQL_URI"]) as gn3conn:
+    with (require_oauth.acquire("profile group resource") as token,
+          gn3db.database_connection(app.config["SQL_URI"]) as gn3conn):
         def __link__(
                 conn: db.DbConnection,
                 group_id: uuid.UUID,
@@ -340,9 +342,11 @@ def link_phenotype() -> Response:
         ) -> dict:
             if using_raw_ids:
                 return link_phenotype_data(conn,
+                                           token.user,
                                            group_by_id(conn, group_id),
                                            traits)
             return link_phenotype_data(conn,
+                                       token.user,
                                        group_by_id(conn, group_id),
                                        pheno_traits_from_db(gn3conn, traits))