diff options
| -rw-r--r-- | gn_libs/privileges/authspec.py | 7 | ||||
| -rw-r--r-- | gn_libs/privileges/resources.py | 18 | ||||
| -rw-r--r-- | gn_libs/sqlite3.py | 11 |
3 files changed, 20 insertions, 16 deletions
diff --git a/gn_libs/privileges/authspec.py b/gn_libs/privileges/authspec.py index 2ae154f..2819f9d 100644 --- a/gn_libs/privileges/authspec.py +++ b/gn_libs/privileges/authspec.py @@ -167,10 +167,11 @@ def check(spec: str, privileges: tuple[str, ...]) -> bool: def privileges_fulfill_specs( - queried_privileges: tuple[str, ...], + resource_privileges: tuple[str, ...], + system_privileges: tuple[str, ...], resource_spec: str, system_spec: str ) -> bool: """Check whether a user's privileges fulfill the given specs.""" - return (check(resource_spec, queried_privileges) or - check(system_spec, queried_privileges)) + return (check(resource_spec, resource_privileges) or + check(system_spec, system_privileges)) diff --git a/gn_libs/privileges/resources.py b/gn_libs/privileges/resources.py index 4b66c59..217a57d 100644 --- a/gn_libs/privileges/resources.py +++ b/gn_libs/privileges/resources.py @@ -11,9 +11,9 @@ logger = logging.getLogger(__name__) can_view = partial( privileges_fulfill_specs, resource_spec=( - "(OR group:resource:view-resource system:resource:view " - " system:inbredset:view-case-attribute)"), - system_spec="(OR system:system-wide:data:view system:resource:view)") + "(OR group:resource:view-resource system:inbredset:view-case-attribute " + " system:resource:public-read)"), + system_spec="(OR system:system-wide:data:view)") can_edit = partial( @@ -21,13 +21,11 @@ can_edit = partial( resource_spec=( "(OR " " (AND group:resource:view-resource group:resource:edit-resource) " - " (AND system:resource:view system:resource:edit) " " (AND system:inbredset:view-case-attribute " " system:inbredset:edit-case-attribute))"), system_spec=( "(OR " - " (AND system:system-wide:data:view system:system-wide:data:edit) " - " (AND system:resource:view system:resource:edit))")) + " (AND system:system-wide:data:view system:system-wide:data:edit))")) def can_batch_edit(queried_privileges: tuple[str, ...]) -> bool: @@ -53,15 +51,11 @@ can_delete = partial( " group:resource:edit-resource group:resource:delete-resource) " " (AND system:inbredset:view-case-attribute " " system:inbredset:edit-case-attribute " - " system:inbredset:delete-case-attribute) " - " (AND system:resource:view system:resource:edit " - " system:resource:delete))"), + " system:inbredset:delete-case-attribute))"), system_spec=( "(OR " " (AND system:system-wide:data:view system:system-wide:data:edit " - " system:system-wide:data:delete) " - " (AND system:resource:view system:resource:edit " - " system:resource:delete))")) + " system:system-wide:data:delete))")) can_apply_or_reject_edit = partial( diff --git a/gn_libs/sqlite3.py b/gn_libs/sqlite3.py index 78e1c41..c8bef0d 100644 --- a/gn_libs/sqlite3.py +++ b/gn_libs/sqlite3.py @@ -2,7 +2,7 @@ import logging import traceback import contextlib -from typing import Callable, Iterator +from typing import Callable, Iterator, Any import sqlite3 @@ -43,3 +43,12 @@ def cursor(conn: DbConnection) -> Iterator[DbCursor]: raise exc finally: cur.close() + + +def with_db_connection(db_uri: str, func: Callable[[DbConnection], Any]) -> Any: + """ + Call `func`, a function of one argument with the SQLite3 connection created + from the connection string `db_uri`. + """ + with connection(db_uri) as conn: + return func(conn) |