diff options
| author | Frederick Muriuki Muriithi | 2025-06-09 12:53:58 -0500 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2025-06-09 12:53:58 -0500 |
| commit | 1fb89d6ec14db63ef57573260d2996fd3d169f5e (patch) | |
| tree | eb65759357dc247fca057ed0bdd02420950e4c3c /gn_auth | |
| parent | 183076a4ae6b7d0f7e8c5369111ae79e5cad04ba (diff) | |
| download | gn-auth-1fb89d6ec14db63ef57573260d2996fd3d169f5e.tar.gz | |
Use more flexible check for authorisation.
Use the more flexible check for authorisation that a user has on a
specific resource.
Diffstat (limited to 'gn_auth')
| -rw-r--r-- | gn_auth/auth/authorisation/data/phenotypes.py | 27 | ||||
| -rw-r--r-- | gn_auth/auth/authorisation/data/views.py | 6 |
2 files changed, 25 insertions, 8 deletions
diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py index 63b3f12..3e45af3 100644 --- a/gn_auth/auth/authorisation/data/phenotypes.py +++ b/gn_auth/auth/authorisation/data/phenotypes.py @@ -8,8 +8,12 @@ from MySQLdb.cursors import DictCursor from gn_auth.auth.db import sqlite3 as authdb +from gn_auth.auth.errors import AuthorisationError from gn_auth.auth.authorisation.checks import authorised_p -from gn_auth.auth.authorisation.resources.groups.models import Group +from gn_auth.auth.authorisation.resources.system.models import system_resource +from gn_auth.auth.authorisation.resources.groups.models import Group, group_resource + +from gn_auth.auth.authorisation.resources.checks import authorised_for2 def linked_phenotype_data( authconn: authdb.DbConnection, gn3conn: gn3db.Connection, @@ -111,17 +115,26 @@ def pheno_traits_from_db(gn3conn: gn3db.Connection, params: tuple[dict, ...]) -> return cursor.fetchall() -@authorised_p(("system:data:link-to-group",), - error_description=( - "You do not have sufficient privileges to link data to (a) " - "group(s)."), - oauth2_scope="profile group resource") def link_phenotype_data( - authconn:authdb.DbConnection, + authconn: authdb.DbConnection, + user, group: Group, traits: tuple[dict, ...] ) -> dict: """Link phenotype traits to a user group.""" + if not (authorised_for2(authconn, + user, + system_resource(authconn), + ("system:data:link-to-group",)) + or + authorised_for2(authconn, + user, + group_resource(authconn, group.group_id), + ("group:data:link-to-group",)) + ): + raise AuthorisationError( + "You do not have sufficient privileges to link data to group " + f"'{group.group_name}'.") with authdb.cursor(authconn) as cursor: params = tuple({ "data_link_id": str(uuid.uuid4()), diff --git a/gn_auth/auth/authorisation/data/views.py b/gn_auth/auth/authorisation/data/views.py index fc20e86..9123949 100644 --- a/gn_auth/auth/authorisation/data/views.py +++ b/gn_auth/auth/authorisation/data/views.py @@ -312,6 +312,7 @@ def link_mrna() -> Response: partial(__link__, **__values__(request_json())))) @data.route("/link/phenotype", methods=["POST"]) +@require_oauth("profile group resource") def link_phenotype() -> Response: """Link phenotype data to group.""" def __values__(form): @@ -331,7 +332,8 @@ def link_phenotype() -> Response: "using_raw_ids": bool(form.get("using-raw-ids") == "on") } - with gn3db.database_connection(app.config["SQL_URI"]) as gn3conn: + with (require_oauth.acquire("profile group resource") as token, + gn3db.database_connection(app.config["SQL_URI"]) as gn3conn): def __link__( conn: db.DbConnection, group_id: uuid.UUID, @@ -340,9 +342,11 @@ def link_phenotype() -> Response: ) -> dict: if using_raw_ids: return link_phenotype_data(conn, + token.user, group_by_id(conn, group_id), traits) return link_phenotype_data(conn, + token.user, group_by_id(conn, group_id), pheno_traits_from_db(gn3conn, traits)) |