aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth/authorisation/roles
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-09-26 02:36:37 +0300
committerFrederick Muriuki Muriithi2023-09-26 03:44:33 +0300
commit9f4e9db223b4e2c052756208ecf035044db0451d (patch)
treea745569a1bb89ae2659b0ad7353dab3815958008 /gn_auth/auth/authorisation/roles
parent196a9399d28e20c55cbb173ce4052845cfad5bf3 (diff)
downloadgn-auth-9f4e9db223b4e2c052756208ecf035044db0451d.tar.gz
Add `public-view` role. Assign it to users.
Add a new `public-view` role to be assigned to all users on all resources that are defined as publicly viewable. Update code to make assign `public-view` role to a newly registered user for all publicly viewable roles. Update the code to assign/revoke the `public-view` role to/from users whenever the resource is toggled to and from being publicly viewable. Ensure that `public-view` is not revoked from system-administrators. Ensure that `public-view` is not revoked from the group administrators of the group that owns the resource.
Diffstat (limited to 'gn_auth/auth/authorisation/roles')
-rw-r--r--gn_auth/auth/authorisation/roles/models.py38
1 files changed, 30 insertions, 8 deletions
diff --git a/gn_auth/auth/authorisation/roles/models.py b/gn_auth/auth/authorisation/roles/models.py
index 4281446..7d78eac 100644
--- a/gn_auth/auth/authorisation/roles/models.py
+++ b/gn_auth/auth/authorisation/roles/models.py
@@ -133,18 +133,40 @@ def user_role(conn: db.DbConnection, user: User, role_id: UUID) -> Either:
return Left(NotFoundError(
f"Could not find role with id '{role_id}'",))
-def assign_default_roles(cursor: db.DbCursor, user: User):
- """Assign `user` some default roles."""
+def __assign_group_creator_role__(cursor: db.DbCursor, user: User):
cursor.execute(
'SELECT role_id FROM roles WHERE role_name IN '
'("group-creator")')
- role_ids = cursor.fetchall()
- str_user_id = str(user.user_id)
- params = tuple(
- {"user_id": str_user_id, "role_id": row["role_id"]} for row in role_ids)
+ role_id = cursor.fetchone()["role_id"]
+ cursor.execute(
+ "SELECT resource_id FROM resources AS r "
+ "INNER JOIN resource_categories AS rc "
+ "ON r.resource_category_id=rc.resource_category_id "
+ "WHERE rc.resource_category_key='system'")
+ resource_id = cursor.fetchone()["resource_id"]
+ cursor.execute(
+ ("INSERT INTO user_roles VALUES (:user_id, :role_id, :resource_id)"),
+ {"user_id": str(user.user_id), "role_id": role_id,
+ "resource_id": resource_id})
+
+def __assign_public_view_role__(cursor: db.DbCursor, user: User):
+ cursor.execute("SELECT resource_id FROM resources WHERE public=1")
+ public_resources = tuple(row["resource_id"] for row in cursor.fetchall())
+ cursor.execute("SELECT role_id FROM roles WHERE role_name='public-view'")
+ role_id = cursor.fetchone()["role_id"]
cursor.executemany(
- ("INSERT INTO user_roles VALUES (:user_id, :role_id)"),
- params)
+ "INSERT INTO user_roles(user_id, role_id, resource_id "
+ "VALUES(:user_id, :role_id, :resource_id)",
+ tuple({
+ "user_id": str(user.user_id),
+ "role_id": role_id,
+ "resource_id": resource_id
+ } for resource_id in public_resources))
+
+def assign_default_roles(cursor: db.DbCursor, user: User):
+ """Assign `user` some default roles."""
+ __assign_group_creator_role__(cursor, user)
+ __assign_public_view_role__(cursor, user)
def revoke_user_role_by_name(cursor: db.DbCursor, user: User, role_name: str):
"""Revoke a role from `user` by the role's name"""