aboutsummaryrefslogtreecommitdiff
path: root/gn_auth
diff options
context:
space:
mode:
Diffstat (limited to 'gn_auth')
-rw-r--r--gn_auth/auth/authorisation/resources/views.py20
-rw-r--r--gn_auth/auth/authorisation/roles/models.py24
2 files changed, 42 insertions, 2 deletions
diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py
index 3300014..21737b3 100644
--- a/gn_auth/auth/authorisation/resources/views.py
+++ b/gn_auth/auth/authorisation/resources/views.py
@@ -20,6 +20,9 @@ from gn_auth.auth.authorisation.roles import Role
from gn_auth.auth.authorisation.roles.models import db_rows_to_roles
from gn_auth.auth.authorisation.privileges import Privilege
from gn_auth.auth.errors import InvalidData, InconsistencyError, AuthorisationError
+from gn_auth.auth.authorisation.roles.models import (role_by_id,
+ db_rows_to_roles,
+ check_user_editable)
from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
from gn_auth.auth.authentication.users import User, user_by_id, user_by_email
@@ -495,3 +498,20 @@ def resource_role(resource_id: uuid.UUID, role_id: uuid.UUID):
}), 500
return asdict(_roles[0])
+
+
+@resources.route("/<uuid:resource_id>/role/<uuid:role_id>/unassign-privilege",
+ methods=["POST"])
+@require_oauth("profile group resource")
+def unassign_resource_role_privilege(resource_id: uuid.UUID, role_id: uuid.UUID):
+ """Unassign a privilege from a resource role."""
+ with (require_oauth.acquire("profile group resource") as _token,
+ db.connection(app.config["AUTH_DB"]) as conn,
+ db.cursor(conn) as cursor):
+ # TODO: Check whether role is user editable
+ _role = role_by_id(conn, role_id)
+ check_user_editable(_role)
+ # TODO: Check whether user has correct permissions to edit role for this resource
+ pass
+
+ raise NotImplementedError("Not implemented.")
diff --git a/gn_auth/auth/authorisation/roles/models.py b/gn_auth/auth/authorisation/roles/models.py
index 94ad2d1..699e3b3 100644
--- a/gn_auth/auth/authorisation/roles/models.py
+++ b/gn_auth/auth/authorisation/roles/models.py
@@ -2,8 +2,7 @@
from uuid import UUID, uuid4
from functools import reduce
from dataclasses import dataclass
-
-from typing import Sequence, Iterable
+from typing import Sequence, Iterable, Optional
from pymonad.either import Left, Right, Either
@@ -219,3 +218,24 @@ def assign_user_role_by_name(
"role_id": role["role_id"],
"resource_id": str(resource_id)
})
+
+
+def role_by_id(conn: db.DbConnection, role_id: UUID) -> Optional[Role]:
+ """Fetch a role from the database by its ID."""
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "SELECT r.*, p.* FROM roles AS r INNER JOIN role_privileges AS rp "
+ "ON r.role_id=rp.role_id INNER JOIN privileges AS p "
+ "ON rp.privilege_id=p.privilege_id "
+ "WHERE r.role_id=?",
+ (str(role_id),))
+ results = cursor.fetchall()
+
+ if not bool(results):
+ return None
+
+ _roles = db_rows_to_roles(results)
+ if len(_roles) > 1:
+ raise Exception("Data corruption: Expected a single role.")
+
+ return _roles[0]