From 37771b3be3142f705101beb4c5dc34c1000962f9 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Wed, 13 Sep 2023 11:23:45 +0300
Subject: Remove group from resource objects

With the new schema, not all Resource objects are "owned" by a
group. Those that are, are linked together through a different db
table (`resource_ownership`).

This commit removes the `Group` object from `Resource` objects and
updates the `resource_ownership` where relevant.
---
 gn_auth/auth/authorisation/roles/models.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'gn_auth/auth/authorisation/roles')

diff --git a/gn_auth/auth/authorisation/roles/models.py b/gn_auth/auth/authorisation/roles/models.py
index e1b0d6b..579c9dc 100644
--- a/gn_auth/auth/authorisation/roles/models.py
+++ b/gn_auth/auth/authorisation/roles/models.py
@@ -136,6 +136,9 @@ def assign_default_roles(cursor: db.DbCursor, user: User):
 
 def revoke_user_role_by_name(cursor: db.DbCursor, user: User, role_name: str):
     """Revoke a role from `user` by the role's name"""
+    # TODO: Pass in the resource_id - this works somewhat correctly, but it's
+    #       only because it is used in for revoking the "group-creator" role so
+    #       far
     cursor.execute(
         "SELECT role_id FROM roles WHERE role_name=:role_name",
         {"role_name": role_name})
@@ -146,7 +149,8 @@ def revoke_user_role_by_name(cursor: db.DbCursor, user: User, role_name: str):
              "WHERE user_id=:user_id AND role_id=:role_id"),
             {"user_id": str(user.user_id), "role_id": role["role_id"]})
 
-def assign_user_role_by_name(cursor: db.DbCursor, user: User, role_name: str):
+def assign_user_role_by_name(
+        cursor: db.DbCursor, user: User, resource_id: UUID, role_name: str):
     """Revoke a role from `user` by the role's name"""
     cursor.execute(
         "SELECT role_id FROM roles WHERE role_name=:role_name",
@@ -155,6 +159,10 @@ def assign_user_role_by_name(cursor: db.DbCursor, user: User, role_name: str):
 
     if role:
         cursor.execute(
-            ("INSERT INTO user_roles VALUES(:user_id, :role_id) "
+            ("INSERT INTO user_roles VALUES(:user_id, :role_id, :resource_id) "
              "ON CONFLICT DO NOTHING"),
-            {"user_id": str(user.user_id), "role_id": role["role_id"]})
+            {
+                "user_id": str(user.user_id),
+                "role_id": role["role_id"],
+                "resource_id": str(resource_id)
+            })
-- 
cgit v1.2.3