From a96a4647cc3e35f177926ff711b1a31ab7513e03 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Fri, 30 Jan 2026 09:29:59 -0600
Subject: Add placeholder check for privileges

For now, only one user is allowed to delete data from Genenetwork. To
get the code online as quickly as possible, in order to test out the
system, I have elected to do a quick and dirty check that prevents
everyone except @acenteno from being able to delete data from the
system.

To fix this, I'll need to actually implement (a) new role(s) to grant
certain users special permissions on **ALL** the data in the system
regardless of who owns it.
---
 gn_auth/auth/authorisation/data/phenotypes.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'gn_auth/auth')

diff --git a/gn_auth/auth/authorisation/data/phenotypes.py b/gn_auth/auth/authorisation/data/phenotypes.py
index d484c44..d335314 100644
--- a/gn_auth/auth/authorisation/data/phenotypes.py
+++ b/gn_auth/auth/authorisation/data/phenotypes.py
@@ -232,6 +232,10 @@ def delete_linked_phenotypes_data(
           authdb.connection(db_uri) as auth_conn,
           authdb.cursor(auth_conn) as cursor):
         # TODO: Check for user privileges here.
+        if _token.user.email not in (
+                'acenteno@gmail.com', 'acenteno@uthsc.edu'):
+            raise AuthorisationError(
+                "You are not allowed to delete this resource's data.")
         # - Does user have DELETE privilege on system (i.e. is data curator)?
         #   YES: go ahead and delete data as below.
         # - Does user have DELETE privilege on resource(s)?
-- 
cgit 1.4.1