Use Auth function that checks for delete access.

author: Frederick Muriuki Muriithi 2026-02-10 11:21:55 -0600
committer: Frederick Muriuki Muriithi 2026-02-10 11:27:38 -0600
commit: 2fe5d90776edd1bc62a6eeaa492d3efb2974b158 (patch)
tree: 7c4fc0ea5d7723167fdfa2948b60f4b0dad3dbf1 /gn_auth
parent: 5d0c7b9f0a811e1b777285f4f7de59db8deeb14c (diff)
download: gn-auth-2fe5d90776edd1bc62a6eeaa492d3efb2974b158.tar.gz
2 files changed, 11 insertions, 26 deletions
diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py
index 1f79e0e..788b9e7 100644
--- a/gn_auth/auth/authorisation/data/phenotypes.py
+++ b/gn_auth/auth/authorisation/data/phenotypes.py
@@ -12,8 +12,8 @@ from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
 
 from gn_auth.auth.errors import AuthorisationError
 from gn_auth.auth.authorisation.checks import authorised_p
+from gn_auth.auth.authorisation.resources.checks import can_delete
 from gn_auth.auth.authorisation.resources.system.models import system_resource
-from gn_auth.auth.authorisation.resources.checks import authorised_for_spec
 from gn_auth.auth.authorisation.resources.groups.models import Group, group_resource
 
 
@@ -251,12 +251,6 @@ def delete_linked_phenotypes_data(
     with (require_oauth.acquire("profile group resource") as _token,
           authdb.connection(db_uri) as auth_conn,
           authdb.cursor(auth_conn) as cursor):
-        # - Does user have DELETE privilege on system (i.e. is data curator)?
-        #   YES: go ahead and delete data as below.
-        # - Does user have DELETE privilege on resource(s)?
-        #   YES: Delete phenotypes by resource, checking privileges for each
-        #        resource.
-        # - Neither: Raise `AuthorisationError` and bail!
         _deleted = 0
         xref_ids = tuple(request.json.get("xref_ids", []))#type: ignore[union-attr]
         if len(xref_ids) > 0:
@@ -264,19 +258,12 @@ def delete_linked_phenotypes_data(
             data_link_ids = fetch_data_link_ids(
                 cursor, species_id, population_id, dataset_id, xref_ids)
             resource_id = fetch_resource_id(cursor, data_link_ids)
-            if not (authorised_for_spec(
-                    auth_conn,
-                    _token.user.user_id,
-                    resource_id,
-                    "(OR group:resource:delete-resource system:resource:delete)")
-                    or
-                    authorised_for_spec(
-                        auth_conn,
-                        _token.user.user_id,
-                        system_resource(auth_conn).resource_id,
-                        "(AND system:system-wide:data:delete)")):
+            # - Does user have DELETE privilege on the data
+            if not can_delete(auth_conn, _token.user.user_id, resource_id):
+                # - No: Raise `AuthorisationError` and bail!
                 raise AuthorisationError(
                     "You are not allowed to delete this resource's data.")
+            # - YES: go ahead and delete data as below.
             _resources_ids = unlink_from_resources(cursor, data_link_ids)
             delete_resources(cursor, _resources_ids)
             _deleted = delete_linked_data(cursor, data_link_ids)
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py
index a960ca3..e4401c5 100644
--- a/gn_auth/auth/authorisation/resources/views.py
+++ b/gn_auth/auth/authorisation/resources/views.py
@@ -39,12 +39,14 @@ from gn_auth.auth.authorisation.roles.models import (
 from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
 from gn_auth.auth.authentication.users import User, user_by_id, user_by_email
 
+from .system.models import system_resource
+
 from .inbredset.views import popbp
 from .genotypes.views import genobp
 from .phenotypes.views import phenobp
 from .errors import MissingGroupError
 from .groups.models import Group, user_group
-from .checks import authorised_for, authorised_for_spec
+from .checks import can_delete, authorised_for
 from .models import (
     Resource, resource_data, resource_by_id, public_resources,
     resource_categories, assign_resource_user, link_data_to_resource,
@@ -685,13 +687,9 @@ def delete_resource():
         form = request_json()
         try:
             resource_id = UUID(form.get("resource_id"))
-            if not authorised_for_spec(
-                    conn,
-                    the_token.user.user_id,
-                    resource_id,
-                    "(OR group:resource:delete-resource system:resource:delete)"):
-                raise AuthorisationError("You do not have the appropriate "
-                                         "privileges to delete this resource.")
+            if not can_delete(conn, the_token.user.user_id, resource_id):
+                raise AuthorisationError(
+                    "You are not allowed to delete this resource.")
 
             data = resource_data(
                 conn,
author	Frederick Muriuki Muriithi	2026-02-10 11:21:55 -0600
committer	Frederick Muriuki Muriithi	2026-02-10 11:27:38 -0600
commit	2fe5d90776edd1bc62a6eeaa492d3efb2974b158 (patch)
tree	7c4fc0ea5d7723167fdfa2948b60f4b0dad3dbf1 /gn_auth
parent	5d0c7b9f0a811e1b777285f4f7de59db8deeb14c (diff)
download	gn-auth-2fe5d90776edd1bc62a6eeaa492d3efb2974b158.tar.gz