From 9f4e9db223b4e2c052756208ecf035044db0451d Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Tue, 26 Sep 2023 02:36:37 +0300 Subject: Add `public-view` role. Assign it to users. Add a new `public-view` role to be assigned to all users on all resources that are defined as publicly viewable. Update code to make assign `public-view` role to a newly registered user for all publicly viewable roles. Update the code to assign/revoke the `public-view` role to/from users whenever the resource is toggled to and from being publicly viewable. Ensure that `public-view` is not revoked from system-administrators. Ensure that `public-view` is not revoked from the group administrators of the group that owns the resource. --- gn_auth/auth/authorisation/roles/models.py | 38 +++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 8 deletions(-) (limited to 'gn_auth/auth/authorisation/roles') diff --git a/gn_auth/auth/authorisation/roles/models.py b/gn_auth/auth/authorisation/roles/models.py index 4281446..7d78eac 100644 --- a/gn_auth/auth/authorisation/roles/models.py +++ b/gn_auth/auth/authorisation/roles/models.py @@ -133,18 +133,40 @@ def user_role(conn: db.DbConnection, user: User, role_id: UUID) -> Either: return Left(NotFoundError( f"Could not find role with id '{role_id}'",)) -def assign_default_roles(cursor: db.DbCursor, user: User): - """Assign `user` some default roles.""" +def __assign_group_creator_role__(cursor: db.DbCursor, user: User): cursor.execute( 'SELECT role_id FROM roles WHERE role_name IN ' '("group-creator")') - role_ids = cursor.fetchall() - str_user_id = str(user.user_id) - params = tuple( - {"user_id": str_user_id, "role_id": row["role_id"]} for row in role_ids) + role_id = cursor.fetchone()["role_id"] + cursor.execute( + "SELECT resource_id FROM resources AS r " + "INNER JOIN resource_categories AS rc " + "ON r.resource_category_id=rc.resource_category_id " + "WHERE rc.resource_category_key='system'") + resource_id = cursor.fetchone()["resource_id"] + cursor.execute( + ("INSERT INTO user_roles VALUES (:user_id, :role_id, :resource_id)"), + {"user_id": str(user.user_id), "role_id": role_id, + "resource_id": resource_id}) + +def __assign_public_view_role__(cursor: db.DbCursor, user: User): + cursor.execute("SELECT resource_id FROM resources WHERE public=1") + public_resources = tuple(row["resource_id"] for row in cursor.fetchall()) + cursor.execute("SELECT role_id FROM roles WHERE role_name='public-view'") + role_id = cursor.fetchone()["role_id"] cursor.executemany( - ("INSERT INTO user_roles VALUES (:user_id, :role_id)"), - params) + "INSERT INTO user_roles(user_id, role_id, resource_id " + "VALUES(:user_id, :role_id, :resource_id)", + tuple({ + "user_id": str(user.user_id), + "role_id": role_id, + "resource_id": resource_id + } for resource_id in public_resources)) + +def assign_default_roles(cursor: db.DbCursor, user: User): + """Assign `user` some default roles.""" + __assign_group_creator_role__(cursor, user) + __assign_public_view_role__(cursor, user) def revoke_user_role_by_name(cursor: db.DbCursor, user: User, role_name: str): """Revoke a role from `user` by the role's name""" -- cgit v1.2.3