diff options
| -rw-r--r-- | gn_libs/monadic_requests.py | 2 | ||||
| -rw-r--r-- | gn_libs/privileges/authspec.py | 7 | ||||
| -rw-r--r-- | gn_libs/privileges/resources.py | 18 |
3 files changed, 12 insertions, 15 deletions
diff --git a/gn_libs/monadic_requests.py b/gn_libs/monadic_requests.py index a09acc5..1db1aa0 100644 --- a/gn_libs/monadic_requests.py +++ b/gn_libs/monadic_requests.py @@ -26,6 +26,7 @@ def get(url, params=None, **kwargs) -> Either: try: resp = requests.get(url, params=params, timeout=timeout, **kwargs) + resp.raise_for_status() if resp.status_code in SUCCESS_CODES: return Right(resp.json()) return Left(resp) @@ -48,6 +49,7 @@ def post(url, data=None, json=None, **kwargs) -> Either: try: resp = requests.post(url, data=data, json=json, timeout=timeout, **kwargs) + resp.raise_for_status() if resp.status_code in SUCCESS_CODES: return Right(resp.json()) return Left(resp) diff --git a/gn_libs/privileges/authspec.py b/gn_libs/privileges/authspec.py index 2ae154f..2819f9d 100644 --- a/gn_libs/privileges/authspec.py +++ b/gn_libs/privileges/authspec.py @@ -167,10 +167,11 @@ def check(spec: str, privileges: tuple[str, ...]) -> bool: def privileges_fulfill_specs( - queried_privileges: tuple[str, ...], + resource_privileges: tuple[str, ...], + system_privileges: tuple[str, ...], resource_spec: str, system_spec: str ) -> bool: """Check whether a user's privileges fulfill the given specs.""" - return (check(resource_spec, queried_privileges) or - check(system_spec, queried_privileges)) + return (check(resource_spec, resource_privileges) or + check(system_spec, system_privileges)) diff --git a/gn_libs/privileges/resources.py b/gn_libs/privileges/resources.py index 4b66c59..217a57d 100644 --- a/gn_libs/privileges/resources.py +++ b/gn_libs/privileges/resources.py @@ -11,9 +11,9 @@ logger = logging.getLogger(__name__) can_view = partial( privileges_fulfill_specs, resource_spec=( - "(OR group:resource:view-resource system:resource:view " - " system:inbredset:view-case-attribute)"), - system_spec="(OR system:system-wide:data:view system:resource:view)") + "(OR group:resource:view-resource system:inbredset:view-case-attribute " + " system:resource:public-read)"), + system_spec="(OR system:system-wide:data:view)") can_edit = partial( @@ -21,13 +21,11 @@ can_edit = partial( resource_spec=( "(OR " " (AND group:resource:view-resource group:resource:edit-resource) " - " (AND system:resource:view system:resource:edit) " " (AND system:inbredset:view-case-attribute " " system:inbredset:edit-case-attribute))"), system_spec=( "(OR " - " (AND system:system-wide:data:view system:system-wide:data:edit) " - " (AND system:resource:view system:resource:edit))")) + " (AND system:system-wide:data:view system:system-wide:data:edit))")) def can_batch_edit(queried_privileges: tuple[str, ...]) -> bool: @@ -53,15 +51,11 @@ can_delete = partial( " group:resource:edit-resource group:resource:delete-resource) " " (AND system:inbredset:view-case-attribute " " system:inbredset:edit-case-attribute " - " system:inbredset:delete-case-attribute) " - " (AND system:resource:view system:resource:edit " - " system:resource:delete))"), + " system:inbredset:delete-case-attribute))"), system_spec=( "(OR " " (AND system:system-wide:data:view system:system-wide:data:edit " - " system:system-wide:data:delete) " - " (AND system:resource:view system:resource:edit " - " system:resource:delete))")) + " system:system-wide:data:delete))")) can_apply_or_reject_edit = partial( |