feat: check if user role and element belong to org

2025-12-18 20:09:25 +00:00 · 2023-03-22 21:37:39 +01:00 · 2023-03-22 21:37:39 +01:00 · 48cf26790a
commit 48cf26790a
parent bae31f795a
2 changed files with 28 additions and 1 deletions
--- a/src/services/courses/lectures/lectures.py
+++ b/src/services/courses/lectures/lectures.py
@ -17,6 +17,7 @@ class Lecture(BaseModel):
 class LectureInDB(Lecture):
    lecture_id: str
    coursechapter_id: str
+    org_id: str
    creationDate: str
    updateDate: str

--- a/src/services/security.py
+++ b/src/services/security.py
@ -31,7 +31,7 @@ async def security_verify_password(plain_password: str, hashed_password: str):
 ### 🔒 Roles checking  ##############################################################


-async def verify_user_rights_with_roles(request: Request, action: str, user_id: str, element_id: str):
+async def verify_user_rights_with_roles(request: Request, action: str, user_id: str, element_id: str, element_org_id: str):
    """
    Check if the user has the right to perform the action on the element
    """
@ -45,6 +45,9 @@ async def verify_user_rights_with_roles(request: Request, action: str, user_id:
    for org in user.orgs:
        # TODO: Check if the org_id (user) is the same as the org_id (element)

+        if org.org_id == element_org_id:
+            return True
+
        # Check if user is owner or reader of the organization
        if org.org_role == ("owner" or "editor"):
            return True
@ -55,6 +58,8 @@ async def verify_user_rights_with_roles(request: Request, action: str, user_id:

    # TODO: Check if the org_id of the role is the same as the org_id of the element using find

+    await check_user_role_org_with_element_org(request, element_id, user_roles)
+
    # Check if user has the right role

    element_type = await check_element_type(element_id)
@ -91,4 +96,25 @@ async def check_element_type(element_id):
            status_code=status.HTTP_409_CONFLICT, detail="Issue verifying element nature")


+async def check_user_role_org_with_element_org(request: Request, element_id: str, roles_list: list[str]):
+
+    element_type = await check_element_type(element_id)
+    element = request.app.db[element_type]
+    roles = request.app.db["roles"]
+
+    # get singular element type
+    singular_form_element = element_type[:-1]
+
+    element_org_id = await element.find_one({singular_form_element + "_id": element_id}, {"org_id": 1})
+
+    for role_id in roles_list:
+        role = RoleInDB(**await roles.find_one({"role_id": role_id}))
+        
+        if role.org_id == element_org_id:
+            return True
+
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN, detail="You don't have the right to perform this action")
+
 ### 🔒 Roles checking  ##############################################################