aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth/authorisation/resources
diff options
context:
space:
mode:
Diffstat (limited to 'gn_auth/auth/authorisation/resources')
-rw-r--r--gn_auth/auth/authorisation/resources/views.py20
1 files changed, 20 insertions, 0 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py
index 3300014..21737b3 100644
--- a/gn_auth/auth/authorisation/resources/views.py
+++ b/gn_auth/auth/authorisation/resources/views.py
@@ -20,6 +20,9 @@ from gn_auth.auth.authorisation.roles import Role
from gn_auth.auth.authorisation.roles.models import db_rows_to_roles
from gn_auth.auth.authorisation.privileges import Privilege
from gn_auth.auth.errors import InvalidData, InconsistencyError, AuthorisationError
+from gn_auth.auth.authorisation.roles.models import (role_by_id,
+ db_rows_to_roles,
+ check_user_editable)
from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
from gn_auth.auth.authentication.users import User, user_by_id, user_by_email
@@ -495,3 +498,20 @@ def resource_role(resource_id: uuid.UUID, role_id: uuid.UUID):
}), 500
return asdict(_roles[0])
+
+
+@resources.route("/<uuid:resource_id>/role/<uuid:role_id>/unassign-privilege",
+ methods=["POST"])
+@require_oauth("profile group resource")
+def unassign_resource_role_privilege(resource_id: uuid.UUID, role_id: uuid.UUID):
+ """Unassign a privilege from a resource role."""
+ with (require_oauth.acquire("profile group resource") as _token,
+ db.connection(app.config["AUTH_DB"]) as conn,
+ db.cursor(conn) as cursor):
+ # TODO: Check whether role is user editable
+ _role = role_by_id(conn, role_id)
+ check_user_editable(_role)
+ # TODO: Check whether user has correct permissions to edit role for this resource
+ pass
+
+ raise NotImplementedError("Not implemented.")