aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth/authorisation/groups
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-09-14 12:06:23 +0300
committerFrederick Muriuki Muriithi2023-09-26 03:44:30 +0300
commite19b01571ce61e01f482a1dadeeb2fd835fda939 (patch)
tree27b8c7f86313a86bc1e6705ac65ff5996403eace /gn_auth/auth/authorisation/groups
parent345e33fc8e1b12dda6626307ebac7e1206200974 (diff)
downloadgn-auth-e19b01571ce61e01f482a1dadeeb2fd835fda939.tar.gz
Move `groups` package under `resources` package
With user groups being resources that users can act on (with the recent changes), this commit moves the `groups` module to under the `resources` module. It also renames the `*_resources.py` modules by dropping the `_resources` part since the code is under the `resources` module anyway.
Diffstat (limited to 'gn_auth/auth/authorisation/groups')
-rw-r--r--gn_auth/auth/authorisation/groups/__init__.py3
-rw-r--r--gn_auth/auth/authorisation/groups/data.py107
-rw-r--r--gn_auth/auth/authorisation/groups/models.py433
-rw-r--r--gn_auth/auth/authorisation/groups/views.py431
4 files changed, 0 insertions, 974 deletions
diff --git a/gn_auth/auth/authorisation/groups/__init__.py b/gn_auth/auth/authorisation/groups/__init__.py
deleted file mode 100644
index 1cb0bba..0000000
--- a/gn_auth/auth/authorisation/groups/__init__.py
+++ /dev/null
@@ -1,3 +0,0 @@
-"""Initialise the `gn3.auth.authorisation.groups` package"""
-
-from .models import Group, GroupRole
diff --git a/gn_auth/auth/authorisation/groups/data.py b/gn_auth/auth/authorisation/groups/data.py
deleted file mode 100644
index 1650405..0000000
--- a/gn_auth/auth/authorisation/groups/data.py
+++ /dev/null
@@ -1,107 +0,0 @@
-"""Handles the resource objects' data."""
-from MySQLdb.cursors import DictCursor
-
-from ..groups import Group
-from ..checks import authorised_p
-from ..errors import NotFoundError
-
-from ...db import mariadb as gn3db
-from ...db import sqlite3 as authdb
-
-def __fetch_mrna_data_by_ids__(
- conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[
- dict, ...]:
- """Fetch mRNA Assay data by ID."""
- with conn.cursor(DictCursor) as cursor:
- paramstr = ", ".join(["%s"] * len(dataset_ids))
- cursor.execute(
- "SELECT psf.Id, psf.Name AS dataset_name, "
- "psf.FullName AS dataset_fullname, "
- "ifiles.GN_AccesionId AS accession_id FROM ProbeSetFreeze AS psf "
- "INNER JOIN InfoFiles AS ifiles ON psf.Name=ifiles.InfoPageName "
- f"WHERE psf.Id IN ({paramstr})",
- dataset_ids)
- res = cursor.fetchall()
- if res:
- return tuple(dict(row) for row in res)
- raise NotFoundError("Could not find mRNA Assay data with the given ID.")
-
-def __fetch_geno_data_by_ids__(
- conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[
- dict, ...]:
- """Fetch genotype data by ID."""
- with conn.cursor(DictCursor) as cursor:
- paramstr = ", ".join(["%s"] * len(dataset_ids))
- cursor.execute(
- "SELECT gf.Id, gf.Name AS dataset_name, "
- "gf.FullName AS dataset_fullname, "
- "ifiles.GN_AccesionId AS accession_id FROM GenoFreeze AS gf "
- "INNER JOIN InfoFiles AS ifiles ON gf.Name=ifiles.InfoPageName "
- f"WHERE gf.Id IN ({paramstr})",
- dataset_ids)
- res = cursor.fetchall()
- if res:
- return tuple(dict(row) for row in res)
- raise NotFoundError("Could not find Genotype data with the given ID.")
-
-def __fetch_pheno_data_by_ids__(
- conn: gn3db.DbConnection, dataset_ids: tuple[str, ...]) -> tuple[
- dict, ...]:
- """Fetch phenotype data by ID."""
- with conn.cursor(DictCursor) as cursor:
- paramstr = ", ".join(["%s"] * len(dataset_ids))
- cursor.execute(
- "SELECT pxf.Id, iset.InbredSetName, pf.Id AS dataset_id, "
- "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, "
- "ifiles.GN_AccesionId AS accession_id "
- "FROM PublishXRef AS pxf "
- "INNER JOIN InbredSet AS iset ON pxf.InbredSetId=iset.InbredSetId "
- "INNER JOIN PublishFreeze AS pf ON iset.InbredSetId=pf.InbredSetId "
- "INNER JOIN InfoFiles AS ifiles ON pf.Name=ifiles.InfoPageName "
- f"WHERE pxf.Id IN ({paramstr})",
- dataset_ids)
- res = cursor.fetchall()
- if res:
- return tuple(dict(row) for row in res)
- raise NotFoundError(
- "Could not find Phenotype/Publish data with the given IDs.")
-
-def __fetch_data_by_id(
- conn: gn3db.DbConnection, dataset_type: str,
- dataset_ids: tuple[str, ...]) -> tuple[dict, ...]:
- """Fetch data from MySQL by IDs."""
- fetch_fns = {
- "mrna": __fetch_mrna_data_by_ids__,
- "genotype": __fetch_geno_data_by_ids__,
- "phenotype": __fetch_pheno_data_by_ids__
- }
- return fetch_fns[dataset_type](conn, dataset_ids)
-
-@authorised_p(("system:data:link-to-group",),
- error_description=(
- "You do not have sufficient privileges to link data to (a) "
- "group(s)."),
- oauth2_scope="profile group resource")
-def link_data_to_group(
- authconn: authdb.DbConnection, gn3conn: gn3db.DbConnection,
- dataset_type: str, dataset_ids: tuple[str, ...], group: Group) -> tuple[
- dict, ...]:
- """Link the given data to the specified group."""
- the_data = __fetch_data_by_id(gn3conn, dataset_type, dataset_ids)
- with authdb.cursor(authconn) as cursor:
- params = tuple({
- "group_id": str(group.group_id), "dataset_type": {
- "mrna": "mRNA", "genotype": "Genotype",
- "phenotype": "Phenotype"
- }[dataset_type],
- "dataset_or_trait_id": item["Id"],
- "dataset_name": item["dataset_name"],
- "dataset_fullname": item["dataset_fullname"],
- "accession_id": item["accession_id"]
- } for item in the_data)
- cursor.executemany(
- "INSERT INTO linked_group_data VALUES"
- "(:group_id, :dataset_type, :dataset_or_trait_id, :dataset_name, "
- ":dataset_fullname, :accession_id)",
- params)
- return params
diff --git a/gn_auth/auth/authorisation/groups/models.py b/gn_auth/auth/authorisation/groups/models.py
deleted file mode 100644
index c40adbd..0000000
--- a/gn_auth/auth/authorisation/groups/models.py
+++ /dev/null
@@ -1,433 +0,0 @@
-"""Handle the management of resource/user groups."""
-import json
-from uuid import UUID, uuid4
-from functools import reduce
-from typing import Any, Sequence, Iterable, Optional, NamedTuple
-
-from flask import g
-from pymonad.maybe import Just, Maybe, Nothing
-
-from ...db import sqlite3 as db
-from ...dictify import dictify
-from ...authentication.users import User, user_by_id
-
-from ..checks import authorised_p
-from ..privileges import Privilege
-from ..errors import NotFoundError, AuthorisationError, InconsistencyError
-from ..roles.models import (
- Role, create_role, check_user_editable, revoke_user_role_by_name,
- assign_user_role_by_name)
-
-class Group(NamedTuple):
- """Class representing a group."""
- group_id: UUID
- group_name: str
- group_metadata: dict[str, Any]
-
- def dictify(self):
- """Return a dict representation of `Group` objects."""
- return {
- "group_id": self.group_id, "group_name": self.group_name,
- "group_metadata": self.group_metadata
- }
-
-DUMMY_GROUP = Group(
- group_id=UUID("77cee65b-fe29-4383-ae41-3cb3b480cc70"),
- group_name="GN3_DUMMY_GROUP",
- group_metadata={
- "group-description": "This is a dummy group to use as a placeholder"
- })
-
-class GroupRole(NamedTuple):
- """Class representing a role tied/belonging to a group."""
- group_role_id: UUID
- group: Group
- role: Role
-
- def dictify(self) -> dict[str, Any]:
- """Return a dict representation of `GroupRole` objects."""
- return {
- "group_role_id": self.group_role_id, "group": dictify(self.group),
- "role": dictify(self.role)
- }
-
-class GroupCreationError(AuthorisationError):
- """Raised whenever a group creation fails"""
-
-class MembershipError(AuthorisationError):
- """Raised when there is an error with a user's membership to a group."""
-
- def __init__(self, user: User, groups: Sequence[Group]):
- """Initialise the `MembershipError` exception object."""
- groups_str = ", ".join(group.group_name for group in groups)
- error_description = (
- f"User '{user.name} ({user.email})' is a member of {len(groups)} "
- f"groups ({groups_str})")
- super().__init__(f"{type(self).__name__}: {error_description}.")
-
-def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]:
- """Returns all the groups that a member belongs to"""
- query = (
- "SELECT groups.group_id, group_name, groups.group_metadata "
- "FROM group_users INNER JOIN groups "
- "ON group_users.group_id=groups.group_id "
- "WHERE group_users.user_id=?")
- with db.cursor(conn) as cursor:
- cursor.execute(query, (str(user.user_id),))
- groups = tuple(Group(row[0], row[1], json.loads(row[2]))
- for row in cursor.fetchall())
-
- return groups
-
-@authorised_p(
- privileges = ("system:group:create-group",),
- error_description = (
- "You do not have the appropriate privileges to enable you to "
- "create a new group."),
- oauth2_scope = "profile group")
-def create_group(
- conn: db.DbConnection, group_name: str, group_leader: User,
- group_description: Optional[str] = None) -> Group:
- """Create a new group."""
- def resource_category_by_key(
- cursor: db.DbCursor, category_key: str):
- """Retrieve a resource category by its key."""
- cursor.execute(
- "SELECT * FROM resource_categories WHERE "
- "resource_category_key=?",
- (category_key,))
- results = cursor.fetchone()
- if results:
- return dict(results)
- raise NotFoundError(
- f"Could not find a ResourceCategory with key '{category_key}'")
-
- user_groups = user_membership(conn, group_leader)
- if len(user_groups) > 0:
- raise MembershipError(group_leader, user_groups)
-
- with db.cursor(conn) as cursor:
- new_group = save_group(
- cursor, group_name,(
- {"group_description": group_description}
- if group_description else {}))
- group_resource = {
- "group_id": str(new_group.group_id),
- "resource_id": str(uuid4()),
- "resource_name": group_name,
- "resource_category_id": str(
- resource_category_by_key(cursor, "group")["resource_category_id"]),
- "public": 0
- }
- cursor.execute(
- "INSERT INTO resources VALUES "
- "(:resource_id, :resource_name, :resource_category_id, :public)",
- group_resource)
- cursor.execute(
- "INSERT INTO group_resources(resource_id, group_id) "
- "VALUES(:resource_id, :group_id)",
- group_resource)
- add_user_to_group(cursor, new_group, group_leader)
- revoke_user_role_by_name(cursor, group_leader, "group-creator")
- assign_user_role_by_name(
- cursor,
- group_leader,
- UUID(str(group_resource["resource_id"])),
- "group-leader")
- return new_group
-
-@authorised_p(("group:role:create-role",),
- error_description="Could not create the group role")
-def create_group_role(
- conn: db.DbConnection, group: Group, role_name: str,
- privileges: Iterable[Privilege]) -> GroupRole:
- """Create a role attached to a group."""
- with db.cursor(conn) as cursor:
- group_role_id = uuid4()
- role = create_role(cursor, role_name, privileges)
- cursor.execute(
- ("INSERT INTO group_roles(group_role_id, group_id, role_id) "
- "VALUES(?, ?, ?)"),
- (str(group_role_id), str(group.group_id), str(role.role_id)))
-
- return GroupRole(group_role_id, group, role)
-
-def authenticated_user_group(conn) -> Maybe:
- """
- Returns the currently authenticated user's group.
-
- Look into returning a Maybe object.
- """
- user = g.user
- with db.cursor(conn) as cursor:
- cursor.execute(
- ("SELECT groups.* FROM group_users "
- "INNER JOIN groups ON group_users.group_id=groups.group_id "
- "WHERE group_users.user_id = ?"),
- (str(user.user_id),))
- groups = tuple(Group(UUID(row[0]), row[1], json.loads(row[2] or "{}"))
- for row in cursor.fetchall())
-
- if len(groups) > 1:
- raise MembershipError(user, groups)
-
- if len(groups) == 1:
- return Just(groups[0])
-
- return Nothing
-
-def user_group(conn: db.DbConnection, user: User) -> Maybe[Group]:
- """Returns the given user's group"""
- with db.cursor(conn) as cursor:
- cursor.execute(
- ("SELECT groups.group_id, groups.group_name, groups.group_metadata "
- "FROM group_users "
- "INNER JOIN groups ON group_users.group_id=groups.group_id "
- "WHERE group_users.user_id = ?"),
- (str(user.user_id),))
- groups = tuple(
- Group(UUID(row[0]), row[1], json.loads(row[2] or "{}"))
- for row in cursor.fetchall())
-
- if len(groups) > 1:
- raise MembershipError(user, groups)
-
- if len(groups) == 1:
- return Just(groups[0])
-
- return Nothing
-
-def is_group_leader(conn: db.DbConnection, user: User, group: Group) -> bool:
- """Check whether the given `user` is the leader of `group`."""
-
- ugroup = user_group(conn, user).maybe(
- False, lambda val: val) # type: ignore[arg-type, misc]
- if not group:
- # User cannot be a group leader if not a member of ANY group
- return False
-
- if not ugroup == group:
- # User cannot be a group leader if not a member of THIS group
- return False
-
- with db.cursor(conn) as cursor:
- cursor.execute(
- ("SELECT roles.role_name FROM user_roles LEFT JOIN roles "
- "ON user_roles.role_id = roles.role_id WHERE user_id = ?"),
- (str(user.user_id),))
- role_names = tuple(row[0] for row in cursor.fetchall())
-
- return "group-leader" in role_names
-
-def all_groups(conn: db.DbConnection) -> Maybe[Sequence[Group]]:
- """Retrieve all existing groups"""
- with db.cursor(conn) as cursor:
- cursor.execute("SELECT * FROM groups")
- res = cursor.fetchall()
- if res:
- return Just(tuple(
- Group(row["group_id"], row["group_name"],
- json.loads(row["group_metadata"])) for row in res))
-
- return Nothing
-
-def save_group(
- cursor: db.DbCursor, group_name: str,
- group_metadata: dict[str, Any]) -> Group:
- """Save a group to db"""
- the_group = Group(uuid4(), group_name, group_metadata)
- cursor.execute(
- ("INSERT INTO groups "
- "VALUES(:group_id, :group_name, :group_metadata) "
- "ON CONFLICT (group_id) DO UPDATE SET "
- "group_name=:group_name, group_metadata=:group_metadata"),
- {"group_id": str(the_group.group_id), "group_name": the_group.group_name,
- "group_metadata": json.dumps(the_group.group_metadata)})
- return the_group
-
-def add_user_to_group(cursor: db.DbCursor, the_group: Group, user: User):
- """Add `user` to `the_group` as a member."""
- cursor.execute(
- ("INSERT INTO group_users VALUES (:group_id, :user_id) "
- "ON CONFLICT (group_id, user_id) DO NOTHING"),
- {"group_id": str(the_group.group_id), "user_id": str(user.user_id)})
-
-@authorised_p(
- privileges = ("system:group:view-group",),
- error_description = (
- "You do not have the appropriate privileges to access the list of users"
- " in the group."))
-def group_users(conn: db.DbConnection, group_id: UUID) -> Iterable[User]:
- """Retrieve all users that are members of group with id `group_id`."""
- with db.cursor(conn) as cursor:
- cursor.execute(
- "SELECT u.* FROM group_users AS gu INNER JOIN users AS u "
- "ON gu.user_id = u.user_id WHERE gu.group_id=:group_id",
- {"group_id": str(group_id)})
- results = cursor.fetchall()
-
- return (User(UUID(row["user_id"]), row["email"], row["name"])
- for row in results)
-
-@authorised_p(
- privileges = ("system:group:view-group",),
- error_description = (
- "You do not have the appropriate privileges to access the group."))
-def group_by_id(conn: db.DbConnection, group_id: UUID) -> Group:
- """Retrieve a group by its ID"""
- with db.cursor(conn) as cursor:
- cursor.execute("SELECT * FROM groups WHERE group_id=:group_id",
- {"group_id": str(group_id)})
- row = cursor.fetchone()
- if row:
- return Group(
- UUID(row["group_id"]),
- row["group_name"],
- json.loads(row["group_metadata"]))
-
- raise NotFoundError(f"Could not find group with ID '{group_id}'.")
-
-@authorised_p(("system:group:view-group", "system:group:edit-group"),
- error_description=("You do not have the appropriate authorisation"
- " to act upon the join requests."),
- oauth2_scope="profile group")
-def join_requests(conn: db.DbConnection, user: User):
- """List all the join requests for the user's group."""
- with db.cursor(conn) as cursor:
- group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp)# type: ignore[misc]
- if group != DUMMY_GROUP and is_group_leader(conn, user, group):
- cursor.execute(
- "SELECT gjr.*, u.email, u.name FROM group_join_requests AS gjr "
- "INNER JOIN users AS u ON gjr.requester_id=u.user_id "
- "WHERE gjr.group_id=? AND gjr.status='PENDING'",
- (str(group.group_id),))
- return tuple(dict(row)for row in cursor.fetchall())
-
- raise AuthorisationError(
- "You do not have the appropriate authorisation to access the "
- "group's join requests.")
-
-@authorised_p(("system:group:view-group", "system:group:edit-group"),
- error_description=("You do not have the appropriate authorisation"
- " to act upon the join requests."),
- oauth2_scope="profile group")
-def accept_reject_join_request(
- conn: db.DbConnection, request_id: UUID, user: User, status: str) -> dict:
- """Accept/Reject a join request."""
- assert status in ("ACCEPTED", "REJECTED"), f"Invalid status '{status}'."
- with db.cursor(conn) as cursor:
- group = user_group(conn, user).maybe(DUMMY_GROUP, lambda grp: grp) # type: ignore[misc]
- cursor.execute("SELECT * FROM group_join_requests WHERE request_id=?",
- (str(request_id),))
- row = cursor.fetchone()
- if row:
- if group.group_id == UUID(row["group_id"]):
- try:
- the_user = user_by_id(conn, UUID(row["requester_id"]))
- if status == "ACCEPTED":
- add_user_to_group(cursor, group, the_user)
- revoke_user_role_by_name(cursor, the_user, "group-creator")
- cursor.execute(
- "UPDATE group_join_requests SET status=? "
- "WHERE request_id=?",
- (status, str(request_id)))
- return {"request_id": request_id, "status": status}
- except NotFoundError as nfe:
- raise InconsistencyError(
- "Could not find user associated with join request."
- ) from nfe
- raise AuthorisationError(
- "You cannot act on other groups join requests")
- raise NotFoundError(f"Could not find request with ID '{request_id}'")
-
-def __organise_privileges__(acc, row):
- role_id = UUID(row["role_id"])
- role = acc.get(role_id, False)
- if role:
- return {
- **acc,
- role_id: Role(
- role.role_id, role.role_name,
- bool(int(row["user_editable"])),
- role.privileges + (
- Privilege(row["privilege_id"],
- row["privilege_description"]),))
- }
- return {
- **acc,
- role_id: Role(
- UUID(row["role_id"]), row["role_name"],
- bool(int(row["user_editable"])),
- (Privilege(row["privilege_id"], row["privilege_description"]),))
- }
-
-# @authorised_p(("group:role:view",),
-# "Insufficient privileges to view role",
-# oauth2_scope="profile group role")
-def group_role_by_id(
- conn: db.DbConnection, group: Group, group_role_id: UUID) -> GroupRole:
- """Retrieve GroupRole from id by its `group_role_id`."""
- ## TODO: do privileges check before running actual query
- ## the check commented out above doesn't work correctly
- with db.cursor(conn) as cursor:
- cursor.execute(
- "SELECT gr.group_role_id, r.*, p.* "
- "FROM group_roles AS gr "
- "INNER JOIN roles AS r ON gr.role_id=r.role_id "
- "INNER JOIN role_privileges AS rp ON rp.role_id=r.role_id "
- "INNER JOIN privileges AS p ON p.privilege_id=rp.privilege_id "
- "WHERE gr.group_role_id=? AND gr.group_id=?",
- (str(group_role_id), str(group.group_id)))
- rows = cursor.fetchall()
- if rows:
- roles: tuple[Role,...] = tuple(reduce(
- __organise_privileges__, rows, {}).values())
- assert len(roles) == 1
- return GroupRole(group_role_id, group, roles[0])
- raise NotFoundError(
- f"Group role with ID '{group_role_id}' does not exist.")
-
-@authorised_p(("group:role:edit-role",),
- "You do not have the privilege to edit a role.",
- oauth2_scope="profile group role")
-def add_privilege_to_group_role(conn: db.DbConnection, group_role: GroupRole,
- privilege: Privilege) -> GroupRole:
- """Add `privilege` to `group_role`."""
- ## TODO: do privileges check.
- check_user_editable(group_role.role)
- with db.cursor(conn) as cursor:
- cursor.execute(
- "INSERT INTO role_privileges(role_id,privilege_id) "
- "VALUES (?, ?) ON CONFLICT (role_id, privilege_id) "
- "DO NOTHING",
- (str(group_role.role.role_id), str(privilege.privilege_id)))
- return GroupRole(
- group_role.group_role_id,
- group_role.group,
- Role(group_role.role.role_id,
- group_role.role.role_name,
- group_role.role.user_editable,
- group_role.role.privileges + (privilege,)))
-
-@authorised_p(("group:role:edit-role",),
- "You do not have the privilege to edit a role.",
- oauth2_scope="profile group role")
-def delete_privilege_from_group_role(
- conn: db.DbConnection, group_role: GroupRole,
- privilege: Privilege) -> GroupRole:
- """Delete `privilege` to `group_role`."""
- ## TODO: do privileges check.
- check_user_editable(group_role.role)
- with db.cursor(conn) as cursor:
- cursor.execute(
- "DELETE FROM role_privileges WHERE "
- "role_id=? AND privilege_id=?",
- (str(group_role.role.role_id), str(privilege.privilege_id)))
- return GroupRole(
- group_role.group_role_id,
- group_role.group,
- Role(group_role.role.role_id,
- group_role.role.role_name,
- group_role.role.user_editable,
- tuple(priv for priv in group_role.role.privileges
- if priv != privilege)))
diff --git a/gn_auth/auth/authorisation/groups/views.py b/gn_auth/auth/authorisation/groups/views.py
deleted file mode 100644
index 4dc17e0..0000000
--- a/gn_auth/auth/authorisation/groups/views.py
+++ /dev/null
@@ -1,431 +0,0 @@
-"""The views/routes for the `gn3.auth.authorisation.groups` package."""
-import uuid
-import datetime
-from typing import Iterable
-from functools import partial
-
-from MySQLdb.cursors import DictCursor
-from flask import request, jsonify, Response, Blueprint, current_app
-
-from ...db import sqlite3 as db
-from ...db import mariadb as gn3db
-
-from ...dictify import dictify
-from ...db.sqlite3 import with_db_connection
-
-from .data import link_data_to_group
-from .models import (
- Group, user_group, all_groups, DUMMY_GROUP, GroupRole, group_by_id,
- join_requests, group_role_by_id, GroupCreationError,
- accept_reject_join_request, group_users as _group_users,
- create_group as _create_group, add_privilege_to_group_role,
- delete_privilege_from_group_role, create_group_role as _create_group_role)
-
-from ..roles.models import Role
-from ..roles.models import user_roles
-
-from ..checks import authorised_p
-from ..privileges import Privilege, privileges_by_ids
-from ..errors import InvalidData, NotFoundError, AuthorisationError
-
-from ...authentication.users import User
-from ...authentication.oauth2.resource_server import require_oauth
-
-groups = Blueprint("groups", __name__)
-
-@groups.route("/list", methods=["GET"])
-@require_oauth("profile group")
-def list_groups():
- """Return the list of groups that exist."""
- with db.connection(current_app.config["AUTH_DB"]) as conn:
- the_groups = all_groups(conn)
-
- return jsonify(the_groups.maybe(
- [], lambda grps: [dictify(grp) for grp in grps]))
-
-@groups.route("/create", methods=["POST"])
-@require_oauth("profile group")
-def create_group():
- """Create a new group."""
- with require_oauth.acquire("profile group") as the_token:
- group_name=request.form.get("group_name", "").strip()
- if not bool(group_name):
- raise GroupCreationError("Could not create the group.")
-
- db_uri = current_app.config["AUTH_DB"]
- with db.connection(db_uri) as conn:
- user = the_token.user
- new_group = _create_group(
- conn, group_name, user, request.form.get("group_description"))
- return jsonify({
- **dictify(new_group), "group_leader": dictify(user)
- })
-
-@groups.route("/members/<uuid:group_id>", methods=["GET"])
-@require_oauth("profile group")
-def group_members(group_id: uuid.UUID) -> Response:
- """Retrieve all the members of a group."""
- with require_oauth.acquire("profile group") as the_token:# pylint: disable=[unused-variable]
- db_uri = current_app.config["AUTH_DB"]
- ## Check that user has appropriate privileges and remove the pylint disable above
- with db.connection(db_uri) as conn:
- return jsonify(tuple(
- dictify(user) for user in _group_users(conn, group_id)))
-
-@groups.route("/requests/join/<uuid:group_id>", methods=["POST"])
-@require_oauth("profile group")
-def request_to_join(group_id: uuid.UUID) -> Response:
- """Request to join a group."""
- def __request__(conn: db.DbConnection, user: User, group_id: uuid.UUID,
- message: str):
- with db.cursor(conn) as cursor:
- group = user_group(conn, user).maybe(# type: ignore[misc]
- False, lambda grp: grp)# type: ignore[arg-type]
- if group:
- error = AuthorisationError(
- "You cannot request to join a new group while being a "
- "member of an existing group.")
- error.error_code = 400
- raise error
- request_id = uuid.uuid4()
- cursor.execute(
- "INSERT INTO group_join_requests VALUES "
- "(:request_id, :group_id, :user_id, :ts, :status, :msg)",
- {
- "request_id": str(request_id),
- "group_id": str(group_id),
- "user_id": str(user.user_id),
- "ts": datetime.datetime.now().timestamp(),
- "status": "PENDING",
- "msg": message
- })
- return {
- "request_id": request_id,
- "message": "Successfully sent the join request."
- }
-
- with require_oauth.acquire("profile group") as the_token:
- form = request.form
- results = with_db_connection(partial(
- __request__, user=the_token.user, group_id=group_id, message=form.get(
- "message", "I hereby request that you add me to your group.")))
- return jsonify(results)
-
-@groups.route("/requests/join/list", methods=["GET"])
-@require_oauth("profile group")
-def list_join_requests() -> Response:
- """List the pending join requests."""
- with require_oauth.acquire("profile group") as the_token:
- return jsonify(with_db_connection(partial(
- join_requests, user=the_token.user)))
-
-@groups.route("/requests/join/accept", methods=["POST"])
-@require_oauth("profile group")
-def accept_join_requests() -> Response:
- """Accept a join request."""
- with require_oauth.acquire("profile group") as the_token:
- form = request.form
- request_id = uuid.UUID(form.get("request_id"))
- return jsonify(with_db_connection(partial(
- accept_reject_join_request, request_id=request_id,
- user=the_token.user, status="ACCEPTED")))
-
-@groups.route("/requests/join/reject", methods=["POST"])
-@require_oauth("profile group")
-def reject_join_requests() -> Response:
- """Reject a join request."""
- with require_oauth.acquire("profile group") as the_token:
- form = request.form
- request_id = uuid.UUID(form.get("request_id"))
- return jsonify(with_db_connection(partial(
- accept_reject_join_request, request_id=request_id,
- user=the_token.user, status="REJECTED")))
-
-def unlinked_mrna_data(
- conn: db.DbConnection, group: Group) -> tuple[dict, ...]:
- """
- Retrieve all mRNA Assay data linked to a group but not linked to any
- resource.
- """
- query = (
- "SELECT lmd.* FROM linked_mrna_data lmd "
- "LEFT JOIN mrna_resources mr ON lmd.data_link_id=mr.data_link_id "
- "WHERE lmd.group_id=? AND mr.data_link_id IS NULL")
- with db.cursor(conn) as cursor:
- cursor.execute(query, (str(group.group_id),))
- return tuple(dict(row) for row in cursor.fetchall())
-
-def unlinked_genotype_data(
- conn: db.DbConnection, group: Group) -> tuple[dict, ...]:
- """
- Retrieve all genotype data linked to a group but not linked to any resource.
- """
- query = (
- "SELECT lgd.* FROM linked_genotype_data lgd "
- "LEFT JOIN genotype_resources gr ON lgd.data_link_id=gr.data_link_id "
- "WHERE lgd.group_id=? AND gr.data_link_id IS NULL")
- with db.cursor(conn) as cursor:
- cursor.execute(query, (str(group.group_id),))
- return tuple(dict(row) for row in cursor.fetchall())
-
-def unlinked_phenotype_data(
- authconn: db.DbConnection, gn3conn: gn3db.DbConnection,
- group: Group) -> tuple[dict, ...]:
- """
- Retrieve all phenotype data linked to a group but not linked to any
- resource.
- """
- with db.cursor(authconn) as authcur, gn3conn.cursor(DictCursor) as gn3cur:
- authcur.execute(
- "SELECT lpd.* FROM linked_phenotype_data AS lpd "
- "LEFT JOIN phenotype_resources AS pr "
- "ON lpd.data_link_id=pr.data_link_id "
- "WHERE lpd.group_id=? AND pr.data_link_id IS NULL",
- (str(group.group_id),))
- results = authcur.fetchall()
- ids: dict[tuple[str, ...], str] = {
- (
- row["SpeciesId"], row["InbredSetId"], row["PublishFreezeId"],
- row["PublishXRefId"]): row["data_link_id"]
- for row in results
- }
- if len(ids.keys()) < 1:
- return tuple()
- paramstr = ", ".join(["(%s, %s, %s, %s)"] * len(ids.keys()))
- gn3cur.execute(
- "SELECT spc.SpeciesId, spc.SpeciesName, iset.InbredSetId, "
- "iset.InbredSetName, pf.Id AS PublishFreezeId, "
- "pf.Name AS dataset_name, pf.FullName AS dataset_fullname, "
- "pf.ShortName AS dataset_shortname, pxr.Id AS PublishXRefId, "
- "pub.PubMed_ID, pub.Title, pub.Year, "
- "phen.Pre_publication_description, "
- "phen.Post_publication_description, phen.Original_description "
- "FROM "
- "Species AS spc "
- "INNER JOIN InbredSet AS iset "
- "ON spc.SpeciesId=iset.SpeciesId "
- "INNER JOIN PublishFreeze AS pf "
- "ON iset.InbredSetId=pf.InbredSetId "
- "INNER JOIN PublishXRef AS pxr "
- "ON pf.InbredSetId=pxr.InbredSetId "
- "INNER JOIN Publication AS pub "
- "ON pxr.PublicationId=pub.Id "
- "INNER JOIN Phenotype AS phen "
- "ON pxr.PhenotypeId=phen.Id "
- "WHERE (spc.SpeciesId, iset.InbredSetId, pf.Id, pxr.Id) "
- f"IN ({paramstr})",
- tuple(item for sublist in ids.keys() for item in sublist))
- return tuple({
- **{key: value for key, value in row.items() if key not in
- ("Post_publication_description", "Pre_publication_description",
- "Original_description")},
- "description": (
- row["Post_publication_description"] or
- row["Pre_publication_description"] or
- row["Original_description"]),
- "data_link_id": ids[tuple(str(row[key]) for key in (
- "SpeciesId", "InbredSetId", "PublishFreezeId",
- "PublishXRefId"))]
- } for row in gn3cur.fetchall())
-
-@groups.route("/<string:resource_type>/unlinked-data")
-@require_oauth("profile group resource")
-def unlinked_data(resource_type: str) -> Response:
- """View data linked to the group but not linked to any resource."""
- if resource_type not in ("all", "mrna", "genotype", "phenotype"):
- raise AuthorisationError(f"Invalid resource type {resource_type}")
-
- with require_oauth.acquire("profile group resource") as the_token:
- db_uri = current_app.config["AUTH_DB"]
- gn3db_uri = current_app.config["SQL_URI"]
- with (db.connection(db_uri) as authconn,
- gn3db.database_connection(gn3db_uri) as gn3conn):
- ugroup = user_group(authconn, the_token.user).maybe(# type: ignore[misc]
- DUMMY_GROUP, lambda grp: grp)
- if ugroup == DUMMY_GROUP:
- return jsonify(tuple())
-
- unlinked_fns = {
- "mrna": unlinked_mrna_data,
- "genotype": unlinked_genotype_data,
- "phenotype": lambda conn, grp: partial(
- unlinked_phenotype_data, gn3conn=gn3conn)(
- authconn=conn, group=grp)
- }
- return jsonify(tuple(
- dict(row) for row in unlinked_fns[resource_type](
- authconn, ugroup)))
-
- return jsonify(tuple())
-
-@groups.route("/data/link", methods=["POST"])
-@require_oauth("profile group resource")
-def link_data() -> Response:
- """Link selected data to specified group."""
- with require_oauth.acquire("profile group resource") as _the_token:
- form = request.form
- group_id = uuid.UUID(form["group_id"])
- dataset_ids = form.getlist("dataset_ids")
- dataset_type = form.get("dataset_type")
- if dataset_type not in ("mrna", "genotype", "phenotype"):
- raise InvalidData("Unexpected dataset type requested!")
- def __link__(conn: db.DbConnection):
- group = group_by_id(conn, group_id)
- with gn3db.database_connection(current_app.config["SQL_URI"]) as gn3conn:
- return link_data_to_group(
- conn, gn3conn, dataset_type, dataset_ids, group)
-
- return jsonify(with_db_connection(__link__))
-
-@groups.route("/roles", methods=["GET"])
-@require_oauth("profile group")
-def group_roles():
- """Return a list of all available group roles."""
- with require_oauth.acquire("profile group role") as the_token:
- def __list_roles__(conn: db.DbConnection):
- ## TODO: Check that user has appropriate privileges
- with db.cursor(conn) as cursor:
- group = user_group(conn, the_token.user).maybe(# type: ignore[misc]
- DUMMY_GROUP, lambda grp: grp)
- if group == DUMMY_GROUP:
- return tuple()
- cursor.execute(
- "SELECT gr.group_role_id, r.* "
- "FROM group_roles AS gr INNER JOIN roles AS r "
- "ON gr.role_id=r.role_id "
- "WHERE group_id=?",
- (str(group.group_id),))
- return tuple(
- GroupRole(uuid.UUID(row["group_role_id"]),
- group,
- Role(uuid.UUID(row["role_id"]),
- row["role_name"],
- bool(int(row["user_editable"])),
- tuple()))
- for row in cursor.fetchall())
- return jsonify(tuple(
- dictify(role) for role in with_db_connection(__list_roles__)))
-
-@groups.route("/privileges", methods=["GET"])
-@require_oauth("profile group")
-def group_privileges():
- """Return a list of all available group roles."""
- with require_oauth.acquire("profile group role") as the_token:
- def __list_privileges__(conn: db.DbConnection) -> Iterable[Privilege]:
- ## TODO: Check that user has appropriate privileges
- this_user_roles = user_roles(conn, the_token.user)
- with db.cursor(conn) as cursor:
- cursor.execute("SELECT * FROM privileges "
- "WHERE privilege_id LIKE 'group:%'")
- group_level_roles = tuple(
- Privilege(row["privilege_id"], row["privilege_description"])
- for row in cursor.fetchall())
- return tuple(privilege for arole in this_user_roles
- for privilege in arole.privileges) + group_level_roles
- return jsonify(tuple(
- dictify(priv) for priv in with_db_connection(__list_privileges__)))
-
-
-
-@groups.route("/role/create", methods=["POST"])
-@require_oauth("profile group")
-def create_group_role():
- """Create a new group role."""
- with require_oauth.acquire("profile group role") as the_token:
- ## TODO: Check that user has appropriate privileges
- @authorised_p(("group:role:create-role",),
- "You do not have the privilege to create new roles",
- oauth2_scope="profile group role")
- def __create__(conn: db.DbConnection) -> GroupRole:
- ## TODO: Check user cannot assign any privilege they don't have.
- form = request.form
- role_name = form.get("role_name", "").strip()
- privileges_ids = form.getlist("privileges[]")
- if len(role_name) == 0:
- raise InvalidData("Role name not provided!")
- if len(privileges_ids) == 0:
- raise InvalidData(
- "At least one privilege needs to be provided.")
-
- group = user_group(conn, the_token.user).maybe(# type: ignore[misc]
- DUMMY_GROUP, lambda grp: grp)
-
- if group == DUMMY_GROUP:
- raise AuthorisationError(
- "A user without a group cannot create a new role.")
- privileges = privileges_by_ids(conn, tuple(privileges_ids))
- if len(privileges_ids) != len(privileges):
- raise InvalidData(
- f"{len(privileges_ids) - len(privileges)} of the selected "
- "privileges were not found in the database.")
-
- return _create_group_role(conn, group, role_name, privileges)
-
- return jsonify(with_db_connection(__create__))
-
-@groups.route("/role/<uuid:group_role_id>", methods=["GET"])
-@require_oauth("profile group")
-def view_group_role(group_role_id: uuid.UUID):
- """Return the details of the given role."""
- with require_oauth.acquire("profile group role") as the_token:
- def __group_role__(conn: db.DbConnection) -> GroupRole:
- group = user_group(conn, the_token.user).maybe(#type: ignore[misc]
- DUMMY_GROUP, lambda grp: grp)
-
- if group == DUMMY_GROUP:
- raise AuthorisationError(
- "A user without a group cannot view group roles.")
- return group_role_by_id(conn, group, group_role_id)
- return jsonify(dictify(with_db_connection(__group_role__)))
-
-def __add_remove_priv_to_from_role__(conn: db.DbConnection,
- group_role_id: uuid.UUID,
- direction: str,
- user: User) -> GroupRole:
- assert direction in ("ADD", "DELETE")
- group = user_group(conn, user).maybe(# type: ignore[misc]
- DUMMY_GROUP, lambda grp: grp)
-
- if group == DUMMY_GROUP:
- raise AuthorisationError(
- "You need to be a member of a group to edit roles.")
- try:
- privilege_id = request.form.get("privilege_id", "")
- assert bool(privilege_id), "Privilege to add must be provided."
- privileges = privileges_by_ids(conn, (privilege_id,))
- if len(privileges) == 0:
- raise NotFoundError("Privilege not found.")
- dir_fns = {
- "ADD": add_privilege_to_group_role,
- "DELETE": delete_privilege_from_group_role
- }
- return dir_fns[direction](
- conn,
- group_role_by_id(conn, group, group_role_id),
- privileges[0])
- except AssertionError as aerr:
- raise InvalidData(aerr.args[0]) from aerr
-
-@groups.route("/role/<uuid:group_role_id>/privilege/add", methods=["POST"])
-@require_oauth("profile group")
-def add_priv_to_role(group_role_id: uuid.UUID) -> Response:
- """Add privilege to group role."""
- with require_oauth.acquire("profile group role") as the_token:
- return jsonify({
- **dictify(with_db_connection(partial(
- __add_remove_priv_to_from_role__, group_role_id=group_role_id,
- direction="ADD", user=the_token.user))),
- "description": "Privilege added successfully"
- })
-
-@groups.route("/role/<uuid:group_role_id>/privilege/delete", methods=["POST"])
-@require_oauth("profile group")
-def delete_priv_from_role(group_role_id: uuid.UUID) -> Response:
- """Delete privilege from group role."""
- with require_oauth.acquire("profile group role") as the_token:
- return jsonify({
- **dictify(with_db_connection(partial(
- __add_remove_priv_to_from_role__, group_role_id=group_role_id,
- direction="DELETE", user=the_token.user))),
- "description": "Privilege deleted successfully"
- })