From 50e458b8951f036c487d7854ebe438e4dfbd6c4f Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Fri, 7 Jun 2024 11:44:37 -0500
Subject: Update role assignment: user resource_roles table

We no longer use the group_roles table, and have moved to the less
privilege-escalation-prone resource_roles table. This commit updates
the queries to use the newer resource_roles table.
---
 gn_auth/auth/authorisation/resources/models.py | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'gn_auth/auth/authorisation')

diff --git a/gn_auth/auth/authorisation/resources/models.py b/gn_auth/auth/authorisation/resources/models.py
index e23aac5..95a7f1c 100644
--- a/gn_auth/auth/authorisation/resources/models.py
+++ b/gn_auth/auth/authorisation/resources/models.py
@@ -34,22 +34,22 @@ from .phenotype import (
 
 from .errors import MissingGroupError
 
-def __assign_resource_owner_role__(cursor, resource, user, group):
+def __assign_resource_owner_role__(cursor, resource, user):
     """Assign `user` the 'Resource Owner' role for `resource`."""
     cursor.execute(
-        "SELECT gr.* FROM group_roles AS gr INNER JOIN roles AS r "
-        "ON gr.role_id=r.role_id WHERE r.role_name='resource-owner' "
-        "AND gr.group_id=?",
-        (str(group.group_id),))
+        "SELECT rr.* FROM resource_roles AS rr INNER JOIN roles AS r "
+        "ON rr.role_id=r.role_id WHERE r.role_name='resource-owner' "
+        "AND rr.resource_id=?",
+        (str(resource.resource_id),))
     role = cursor.fetchone()
     if not role:
         cursor.execute("SELECT * FROM roles WHERE role_name='resource-owner'")
         role = cursor.fetchone()
         cursor.execute(
-            "INSERT INTO group_roles VALUES "
-            "(:group_role_id, :group_id, :role_id)",
-            {"group_role_id": str(uuid4()),
-             "group_id": str(group.group_id),
+            "INSERT INTO resource_roles(resource_id, role_created_by, role_id) "
+            "VALUES (:resource_id, :user_id, :role_id)",
+            {"resource_id": str(resource.resource_id),
+             "user_id": str(user.user_id),
              "role_id": role["role_id"]})
 
     cursor.execute(
@@ -86,7 +86,7 @@ def create_resource(
         cursor.execute("INSERT INTO resource_ownership (group_id, resource_id) "
                        "VALUES (?, ?)",
                        (str(group.group_id), str(resource.resource_id)))
-        __assign_resource_owner_role__(cursor, resource, user, group)
+        __assign_resource_owner_role__(cursor, resource, user)
 
     return resource
 
-- 
cgit v1.2.3