about summary refs log tree commit diff
path: root/gn_libs
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2026-03-31 10:47:15 -0500
committerFrederick Muriuki Muriithi2026-03-31 10:47:15 -0500
commit968bacb5968eef5a272e1a6375f5f72a5c991c6b (patch)
treef8401bf811b329904e8d6b17f052b11268a5013e /gn_libs
parent96ba36523b83ab47513078c697df741c958ed794 (diff)
downloadgn-libs-968bacb5968eef5a272e1a6375f5f72a5c991c6b.tar.gz
Enforce the following invariants for roles/privileges:
* "Creators" can ONLY create
* "Viewers" can ONLY view
* "Editors" can view AND edit
* "Deletors" Can view AND edit AND delete
Diffstat (limited to 'gn_libs')
-rw-r--r--gn_libs/privileges/resources.py35
1 files changed, 26 insertions, 9 deletions
diff --git a/gn_libs/privileges/resources.py b/gn_libs/privileges/resources.py
index dea02f9..431ccd3 100644
--- a/gn_libs/privileges/resources.py
+++ b/gn_libs/privileges/resources.py
@@ -15,28 +15,45 @@ can_view = partial(
     privileges_fulfill_specs,
     resource_spec=(
         "(OR group:resource:view-resource system:resource:view "
-        "system:inbredset:view-case-attribute)"),
+        "    system:inbredset:view-case-attribute)"),
     system_spec="(OR system:system-wide:data:view system:resource:view)")
 
 
 can_edit = partial(
     privileges_fulfill_specs,
     resource_spec=(
-        "(OR group:resource:edit-resource system:resource:edit "
-        "system:inbredset:edit-case-attribute)"),
-    system_spec="(OR system:system-wide:data:edit system:resource:edit)")
+        "(OR "
+        "  (AND group:resource:view-resource group:resource:edit-resource) "
+        "  (AND system:resource:view system:resource:edit) "
+        "  (AND system:inbredset:view-case-attribute "
+        "       system:inbredset:edit-case-attribute))"),
+    system_spec=(
+        "(OR "
+        "  (AND system:system-wide:data:view system:system-wide:data:edit) "
+        "  (AND system:resource:view system:resource:edit))"))
 
 
 can_create = partial(
     privileges_fulfill_specs,
     resource_spec=("(OR group:resource:create-resource "
-                   "system:inbredset:create-case-attribute)"),
+                   "    system:inbredset:create-case-attribute)"),
     system_spec="(OR system:system-wide:data:create)")
 
 
 can_delete = partial(
     privileges_fulfill_specs,
-    resource_spec=("(OR group:resource:delete-resource "
-                   "system:inbredset:delete-case-attribute "
-                   "system:resource:delete)"),
-    system_spec="(OR system:system-wide:data:delete system:resource:delete)")
+    resource_spec=(
+        "(OR "
+        "  (AND group:resource:view-resource "
+        "       group:resource:edit-resource group:resource:delete-resource) "
+        "  (AND system:inbredset:view-case-attribute "
+        "       system:inbredset:edit-case-attribute "
+        "       system:inbredset:delete-case-attribute) "
+        "  (AND system:resource:view system:resource:edit "
+        "       system:resource:delete))"),
+    system_spec=(
+        "(OR "
+        "  (AND system:system-wide:data:view system:system-wide:data:edit "
+        "       system:system-wide:data:delete) "
+        "  (AND system:resource:view system:resource:edit "
+        "       system:resource:delete))"))
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-04-13 14:23:05 +0000