aboutsummaryrefslogtreecommitdiff
path: root/gn_auth
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-06-07 11:44:37 -0500
committerFrederick Muriuki Muriithi2024-06-07 11:53:26 -0500
commit50e458b8951f036c487d7854ebe438e4dfbd6c4f (patch)
treeed0c026a19a9c7d8f3936769509d12347ed76402 /gn_auth
parentbd56f2cdaef1716cf5207911f9facbe80733519c (diff)
downloadgn-auth-50e458b8951f036c487d7854ebe438e4dfbd6c4f.tar.gz
Update role assignment: user resource_roles table
We no longer use the group_roles table, and have moved to the less privilege-escalation-prone resource_roles table. This commit updates the queries to use the newer resource_roles table.
Diffstat (limited to 'gn_auth')
-rw-r--r--gn_auth/auth/authorisation/resources/models.py20
1 files changed, 10 insertions, 10 deletions
diff --git a/gn_auth/auth/authorisation/resources/models.py b/gn_auth/auth/authorisation/resources/models.py
index e23aac5..95a7f1c 100644
--- a/gn_auth/auth/authorisation/resources/models.py
+++ b/gn_auth/auth/authorisation/resources/models.py
@@ -34,22 +34,22 @@ from .phenotype import (
from .errors import MissingGroupError
-def __assign_resource_owner_role__(cursor, resource, user, group):
+def __assign_resource_owner_role__(cursor, resource, user):
"""Assign `user` the 'Resource Owner' role for `resource`."""
cursor.execute(
- "SELECT gr.* FROM group_roles AS gr INNER JOIN roles AS r "
- "ON gr.role_id=r.role_id WHERE r.role_name='resource-owner' "
- "AND gr.group_id=?",
- (str(group.group_id),))
+ "SELECT rr.* FROM resource_roles AS rr INNER JOIN roles AS r "
+ "ON rr.role_id=r.role_id WHERE r.role_name='resource-owner' "
+ "AND rr.resource_id=?",
+ (str(resource.resource_id),))
role = cursor.fetchone()
if not role:
cursor.execute("SELECT * FROM roles WHERE role_name='resource-owner'")
role = cursor.fetchone()
cursor.execute(
- "INSERT INTO group_roles VALUES "
- "(:group_role_id, :group_id, :role_id)",
- {"group_role_id": str(uuid4()),
- "group_id": str(group.group_id),
+ "INSERT INTO resource_roles(resource_id, role_created_by, role_id) "
+ "VALUES (:resource_id, :user_id, :role_id)",
+ {"resource_id": str(resource.resource_id),
+ "user_id": str(user.user_id),
"role_id": role["role_id"]})
cursor.execute(
@@ -86,7 +86,7 @@ def create_resource(
cursor.execute("INSERT INTO resource_ownership (group_id, resource_id) "
"VALUES (?, ?)",
(str(group.group_id), str(resource.resource_id)))
- __assign_resource_owner_role__(cursor, resource, user, group)
+ __assign_resource_owner_role__(cursor, resource, user)
return resource