Replace hard-coded email check with check against privileges

Fix the check: rather than using a hard-coded email to check for
authorisation, we instead check against the privileges the user has on
the resource, or whether they have global privileges allowing them to
act on any data.

1 files changed, 15 insertions, 5 deletions

diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py
index 91f761a..20f887c 100644
--- a/gn_auth/auth/authorisation/data/phenotypes.py
+++ b/gn_auth/auth/authorisation/data/phenotypes.py
@@ -13,8 +13,10 @@ from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
 from gn_auth.auth.errors import AuthorisationError
 from gn_auth.auth.authorisation.checks import authorised_p
 from gn_auth.auth.authorisation.resources.system.models import system_resource
+from gn_auth.auth.authorisation.resources.checks import authorised_for_spec
 from gn_auth.auth.authorisation.resources.groups.models import Group, group_resource
 
+
 from gn_auth.auth.authorisation.checks import require_json
 from gn_auth.auth.authorisation.resources.checks import authorised_for2
 
@@ -248,11 +250,6 @@ def delete_linked_phenotypes_data(
     with (require_oauth.acquire("profile group resource") as _token,
           authdb.connection(db_uri) as auth_conn,
           authdb.cursor(auth_conn) as cursor):
-        # TODO: Check for user privileges here.
-        if _token.user.email not in (
-                'acenteno@gmail.com', 'acenteno@uthsc.edu'):
-            raise AuthorisationError(
-                "You are not allowed to delete this resource's data.")
         # - Does user have DELETE privilege on system (i.e. is data curator)?
         #   YES: go ahead and delete data as below.
         # - Does user have DELETE privilege on resource(s)?
@@ -266,6 +263,19 @@ def delete_linked_phenotypes_data(
             data_link_ids = fetch_data_link_ids(
                 cursor, species_id, population_id, dataset_id, xref_ids)
             resource_id = fetch_resource_id(cursor, data_link_ids)
+            if not (authorised_for_spec(
+                    auth_conn,
+                    _token.user.user_id,
+                    resource_id,
+                    "(OR group:resource:delete-resource system:resource:delete)")
+                    or
+                    authorised_for_spec(
+                        auth_conn,
+                        _token.user.user_id,
+                        system_resource(auth_conn).resource_id,
+                        "(AND system:system-wide:data:delete)")):
+                raise AuthorisationError(
+                    "You are not allowed to delete this resource's data.")
             _resources_ids = unlink_from_resources(cursor, data_link_ids)
             delete_resources(cursor, _resources_ids)
             _deleted = delete_linked_data(cursor, data_link_ids)