From e1f2966c0764980008a8caad6d2ba41a5ad0d853 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 10 Jun 2024 17:12:59 -0500
Subject: Unassign privilege from resource role.

---
 gn_auth/auth/authorisation/resources/views.py | 38 ++++++++++++++++++++-------
 gn_auth/auth/authorisation/roles/models.py    | 11 ++++++++
 2 files changed, 40 insertions(+), 9 deletions(-)

(limited to 'gn_auth')

diff --git a/gn_auth/auth/authorisation/resources/views.py b/gn_auth/auth/authorisation/resources/views.py
index 21737b3..38571f2 100644
--- a/gn_auth/auth/authorisation/resources/views.py
+++ b/gn_auth/auth/authorisation/resources/views.py
@@ -17,12 +17,13 @@ from gn_auth.auth.db import sqlite3 as db
 from gn_auth.auth.db.sqlite3 import with_db_connection
 
 from gn_auth.auth.authorisation.roles import Role
-from gn_auth.auth.authorisation.roles.models import db_rows_to_roles
 from gn_auth.auth.authorisation.privileges import Privilege
 from gn_auth.auth.errors import InvalidData, InconsistencyError, AuthorisationError
-from gn_auth.auth.authorisation.roles.models import (role_by_id,
-                                                     db_rows_to_roles,
-                                                     check_user_editable)
+from gn_auth.auth.authorisation.roles.models import (
+    role_by_id,
+    db_rows_to_roles,
+    check_user_editable,
+    delete_privilege_from_resource_role)
 
 from gn_auth.auth.authentication.oauth2.resource_server import require_oauth
 from gn_auth.auth.authentication.users import User, user_by_id, user_by_email
@@ -508,10 +509,29 @@ def unassign_resource_role_privilege(resource_id: uuid.UUID, role_id: uuid.UUID)
     with (require_oauth.acquire("profile group resource") as _token,
           db.connection(app.config["AUTH_DB"]) as conn,
           db.cursor(conn) as cursor):
-        # TODO: Check whether role is user editable
         _role = role_by_id(conn, role_id)
-        check_user_editable(_role)
-        # TODO: Check whether user has correct permissions to edit role for this resource
-        pass
+        # check_user_editable(_role) # Check whether role is user editable
+
+        _authorised = authorised_for(
+            conn,
+            _token.user,
+            privileges=("resource:role:edit-role",),
+            resource_ids=(resource_id,)).get(resource_id)
+        if not _authorised:
+            raise AuthorisationError(
+                "You are not authorised to edit/update this role.")
+
+        # Actually unassign the privilege from the role
+        privilege_id = request.json.get("privilege_id")
+        if not privilege_id:
+            raise AuthorisationError(
+                "You need to provide a privilege to unassign")
 
-    raise NotImplementedError("Not implemented.")
+        delete_privilege_from_resource_role(cursor,
+                                            _role,
+                                            privilege_by_id(privilege_id))
+
+        return jsonify({
+            "status": "Success",
+            "message": "Privilege was unassigned."
+        }), 200
diff --git a/gn_auth/auth/authorisation/roles/models.py b/gn_auth/auth/authorisation/roles/models.py
index b559bff..e740bfd 100644
--- a/gn_auth/auth/authorisation/roles/models.py
+++ b/gn_auth/auth/authorisation/roles/models.py
@@ -239,3 +239,14 @@ def role_by_id(conn: db.DbConnection, role_id: UUID) -> Optional[Role]:
         raise Exception("Data corruption: Expected a single role.")
 
     return _roles[0]
+
+
+def delete_privilege_from_resource_role(
+        cursor: db.DbCursor,
+        role: Role,
+        privilege_id: str
+):
+    """Delete a privilege from a resource role."""
+    cursor.execute(
+        "DELETE FROM role_privileges WHERE role_id=? AND privilege_id=?",
+        (str(role.role_id), privilege.privilege_id))
-- 
cgit v1.2.3