Use Auth function that checks for delete access.

1 files changed, 5 insertions, 18 deletions

diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py
index 1f79e0e..788b9e7 100644
--- a/gn_auth/auth/authorisation/data/phenotypes.py
+++ b/gn_auth/auth/authorisation/data/phenotypes.py
@@ -12,8 +12,8 @@ from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
 
 from gn_auth.auth.errors import AuthorisationError
 from gn_auth.auth.authorisation.checks import authorised_p
+from gn_auth.auth.authorisation.resources.checks import can_delete
 from gn_auth.auth.authorisation.resources.system.models import system_resource
-from gn_auth.auth.authorisation.resources.checks import authorised_for_spec
 from gn_auth.auth.authorisation.resources.groups.models import Group, group_resource
 
 
@@ -251,12 +251,6 @@ def delete_linked_phenotypes_data(
     with (require_oauth.acquire("profile group resource") as _token,
           authdb.connection(db_uri) as auth_conn,
           authdb.cursor(auth_conn) as cursor):
-        # - Does user have DELETE privilege on system (i.e. is data curator)?
-        #   YES: go ahead and delete data as below.
-        # - Does user have DELETE privilege on resource(s)?
-        #   YES: Delete phenotypes by resource, checking privileges for each
-        #        resource.
-        # - Neither: Raise `AuthorisationError` and bail!
         _deleted = 0
         xref_ids = tuple(request.json.get("xref_ids", []))#type: ignore[union-attr]
         if len(xref_ids) > 0:
@@ -264,19 +258,12 @@ def delete_linked_phenotypes_data(
             data_link_ids = fetch_data_link_ids(
                 cursor, species_id, population_id, dataset_id, xref_ids)
             resource_id = fetch_resource_id(cursor, data_link_ids)
-            if not (authorised_for_spec(
-                    auth_conn,
-                    _token.user.user_id,
-                    resource_id,
-                    "(OR group:resource:delete-resource system:resource:delete)")
-                    or
-                    authorised_for_spec(
-                        auth_conn,
-                        _token.user.user_id,
-                        system_resource(auth_conn).resource_id,
-                        "(AND system:system-wide:data:delete)")):
+            # - Does user have DELETE privilege on the data
+            if not can_delete(auth_conn, _token.user.user_id, resource_id):
+                # - No: Raise `AuthorisationError` and bail!
                 raise AuthorisationError(
                     "You are not allowed to delete this resource's data.")
+            # - YES: go ahead and delete data as below.
             _resources_ids = unlink_from_resources(cursor, data_link_ids)
             delete_resources(cursor, _resources_ids)
             _deleted = delete_linked_data(cursor, data_link_ids)