about summary refs log tree commit diff
path: root/gn_auth/auth/authorisation/data
diff options
context:
space:
mode:
Diffstat (limited to 'gn_auth/auth/authorisation/data')
-rw-r--r--gn_auth/auth/authorisation/data/phenotypes.py20
1 files changed, 15 insertions, 5 deletions
diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py
index 91f761a..20f887c 100644
--- a/gn_auth/auth/authorisation/data/phenotypes.py
+++ b/gn_auth/auth/authorisation/data/phenotypes.py
@@ -13,8 +13,10 @@ from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
 from gn_auth.auth.errors import AuthorisationError
 from gn_auth.auth.authorisation.checks import authorised_p
 from gn_auth.auth.authorisation.resources.system.models import system_resource
+from gn_auth.auth.authorisation.resources.checks import authorised_for_spec
 from gn_auth.auth.authorisation.resources.groups.models import Group, group_resource
 
+
 from gn_auth.auth.authorisation.checks import require_json
 from gn_auth.auth.authorisation.resources.checks import authorised_for2
 
@@ -248,11 +250,6 @@ def delete_linked_phenotypes_data(
     with (require_oauth.acquire("profile group resource") as _token,
           authdb.connection(db_uri) as auth_conn,
           authdb.cursor(auth_conn) as cursor):
-        # TODO: Check for user privileges here.
-        if _token.user.email not in (
-                'acenteno@gmail.com', 'acenteno@uthsc.edu'):
-            raise AuthorisationError(
-                "You are not allowed to delete this resource's data.")
         # - Does user have DELETE privilege on system (i.e. is data curator)?
         #   YES: go ahead and delete data as below.
         # - Does user have DELETE privilege on resource(s)?
@@ -266,6 +263,19 @@ def delete_linked_phenotypes_data(
             data_link_ids = fetch_data_link_ids(
                 cursor, species_id, population_id, dataset_id, xref_ids)
             resource_id = fetch_resource_id(cursor, data_link_ids)
+            if not (authorised_for_spec(
+                    auth_conn,
+                    _token.user.user_id,
+                    resource_id,
+                    "(OR group:resource:delete-resource system:resource:delete)")
+                    or
+                    authorised_for_spec(
+                        auth_conn,
+                        _token.user.user_id,
+                        system_resource(auth_conn).resource_id,
+                        "(AND system:system-wide:data:delete)")):
+                raise AuthorisationError(
+                    "You are not allowed to delete this resource's data.")
             _resources_ids = unlink_from_resources(cursor, data_link_ids)
             delete_resources(cursor, _resources_ids)
             _deleted = delete_linked_data(cursor, data_link_ids)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-06-23 17:53:51 +0000