diff options
| -rw-r--r-- | gn_auth/auth/authorisation/resources/checks.py | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/checks.py b/gn_auth/auth/authorisation/resources/checks.py index 59bf90c..225468c 100644 --- a/gn_auth/auth/authorisation/resources/checks.py +++ b/gn_auth/auth/authorisation/resources/checks.py @@ -5,6 +5,7 @@ import warnings from functools import reduce from typing import Sequence +import gn_libs.sqlite3 as authdb from gn_libs.privileges import check from .base import Resource @@ -12,6 +13,7 @@ from .base import Resource from ...db import sqlite3 as db from ...authentication.users import User +from ..system.models import system_resource from ..privileges.models import db_row_to_privilege @@ -125,3 +127,23 @@ def authorised_for_spec( (str(resource_id), str(user_id))) _privileges = tuple(row["privilege_id"] for row in cursor.fetchall()) return check(auth_spec, _privileges) + + +def can_delete( + conn: authdb.DbConnection, + user_id: uuid.UUID, + resource_id: uuid.UUID +) -> bool: + """Check whether user is allowed delete a resource and/or its data.""" + return ( + authorised_for_spec(# resource-level delete access + conn, + user_id, + resource_id, + "(OR group:resource:delete-resource system:resource:delete)") + or + authorised_for_spec(# system-wide delete access + conn, + user_id, + system_resource(conn).resource_id, + "(AND system:system-wide:data:delete)")) |