diff options
| -rw-r--r-- | gn_auth/auth/authorisation/resources/views.py | 38 | ||||
| -rw-r--r-- | gn_auth/auth/authorisation/roles/models.py | 11 |
2 files changed, 40 insertions, 9 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py index 21737b3..38571f2 100644 --- a/gn_auth/auth/authorisation/resources/views.py +++ b/gn_auth/auth/authorisation/resources/views.py @@ -17,12 +17,13 @@ from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.db.sqlite3 import with_db_connection from gn_auth.auth.authorisation.roles import Role -from gn_auth.auth.authorisation.roles.models import db_rows_to_roles from gn_auth.auth.authorisation.privileges import Privilege from gn_auth.auth.errors import InvalidData, InconsistencyError, AuthorisationError -from gn_auth.auth.authorisation.roles.models import (role_by_id, - db_rows_to_roles, - check_user_editable) +from gn_auth.auth.authorisation.roles.models import ( + role_by_id, + db_rows_to_roles, + check_user_editable, + delete_privilege_from_resource_role) from gn_auth.auth.authentication.oauth2.resource_server import require_oauth from gn_auth.auth.authentication.users import User, user_by_id, user_by_email @@ -508,10 +509,29 @@ def unassign_resource_role_privilege(resource_id: uuid.UUID, role_id: uuid.UUID) with (require_oauth.acquire("profile group resource") as _token, db.connection(app.config["AUTH_DB"]) as conn, db.cursor(conn) as cursor): - # TODO: Check whether role is user editable _role = role_by_id(conn, role_id) - check_user_editable(_role) - # TODO: Check whether user has correct permissions to edit role for this resource - pass + # check_user_editable(_role) # Check whether role is user editable + + _authorised = authorised_for( + conn, + _token.user, + privileges=("resource:role:edit-role",), + resource_ids=(resource_id,)).get(resource_id) + if not _authorised: + raise AuthorisationError( + "You are not authorised to edit/update this role.") + + # Actually unassign the privilege from the role + privilege_id = request.json.get("privilege_id") + if not privilege_id: + raise AuthorisationError( + "You need to provide a privilege to unassign") - raise NotImplementedError("Not implemented.") + delete_privilege_from_resource_role(cursor, + _role, + privilege_by_id(privilege_id)) + + return jsonify({ + "status": "Success", + "message": "Privilege was unassigned." + }), 200 diff --git a/gn_auth/auth/authorisation/roles/models.py b/gn_auth/auth/authorisation/roles/models.py index b559bff..e740bfd 100644 --- a/gn_auth/auth/authorisation/roles/models.py +++ b/gn_auth/auth/authorisation/roles/models.py @@ -239,3 +239,14 @@ def role_by_id(conn: db.DbConnection, role_id: UUID) -> Optional[Role]: raise Exception("Data corruption: Expected a single role.") return _roles[0] + + +def delete_privilege_from_resource_role( + cursor: db.DbCursor, + role: Role, + privilege_id: str +): + """Delete a privilege from a resource role.""" + cursor.execute( + "DELETE FROM role_privileges WHERE role_id=? AND privilege_id=?", + (str(role.role_id), privilege.privilege_id)) |