Update call to `can_edit` to separate resource and system privileges

1 files changed, 17 insertions, 11 deletions

diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py
index f7f2ee3..f114476 100644
--- a/gn_auth/auth/authorisation/resources/views.py
+++ b/gn_auth/auth/authorisation/resources/views.py
@@ -127,17 +127,23 @@ def edit_resource(resource_id: UUID) -> Response:
     db_uri = app.config["AUTH_DB"]
     with (require_oauth.acquire("profile group resource") as _token,
           db.connection(db_uri) as conn):
-        _privileges = tuple(
-            privilege.privilege_id
-            for role in (
-                    role for resource in user_roles_on_resources(
-                        conn,
-                        _token.user,
-                        (resource_id, system_resource(conn).resource_id)
-                    ).values()
-                    for role in resource.get("roles", tuple()))
-            for privilege in role.privileges)
-        if not gn_libs.privileges.resources.can_edit(_privileges):
+        def __extract_privileges__(roles: tuple[Role, ...]) -> tuple[str, ...]:
+            return tuple(
+                priv.privilege_id for role in roles
+                for priv in role.privileges)
+
+        _sys_resource = system_resource(conn)
+        _privileges = {
+            ("system_privileges"
+             if _rid == _sys_resource.resource_id
+             else "resource_privileges"): __extract_privileges__(_rroles)
+            for _rid, _rroles in user_roles_on_resources(
+                conn,
+                _token.user,
+                (resource_id, _sys_resource.resource_id)
+            ).items()
+        }
+        if not gn_libs.privileges.resources.can_edit(**_privileges):
             return make_response(jsonify({
                 "error": "AuthorisationError",
                 "error_description": "You are not allowed to edit this resource."