diff options
author | Frederick Muriuki Muriithi | 2024-06-11 11:20:34 -0500 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2024-06-11 11:25:00 -0500 |
commit | a060c0d277300d5fda06772bf95e1456159111e2 (patch) | |
tree | 2c309fd859743ce16b509feef0c3bb9cd083aec0 /gn_auth/auth | |
parent | d2b388bb1b7ab7d693a29dc172256d79f5bea1eb (diff) | |
download | gn-auth-handle-role-privilege-escalation.tar.gz |
List users assigned a particular role on a specific resource.handle-role-privilege-escalation
Diffstat (limited to 'gn_auth/auth')
-rw-r--r-- | gn_auth/auth/authorisation/resources/views.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py index f0413e8..4c8411f 100644 --- a/gn_auth/auth/authorisation/resources/views.py +++ b/gn_auth/auth/authorisation/resources/views.py @@ -535,3 +535,21 @@ def unassign_resource_role_privilege(resource_id: UUID, role_id: UUID): "status": "Success", "message": "Privilege was unassigned." }), 200 + + +@resources.route("/<uuid:resource_id>/role/<uuid:role_id>/users", + methods=["GET"]) +@require_oauth("profile group resource") +def resource_role_users(resource_id: UUID, role_id: UUID): + """Retrieve users assigned role on resource.""" + with (require_oauth.acquire("profile group resource") as _token, + db.connection(app.config["AUTH_DB"]) as conn, + db.cursor(conn) as cursor): + # MAYBE: check user has something like resource:role:view-users + cursor.execute( + "SELECT u.* FROM user_roles AS ur INNER JOIN users AS u " + "ON ur.user_id=u.user_id WHERE ur.resource_id=? AND ur.role_id=?", + (str(resource_id), str(role_id))) + results = cursor.fetchall() or [] + + return jsonify(tuple(User.from_sqlite3_row(row) for row in results)), 200 |