From 73e25c4b37320e2a3b34477e550f32c754b7409f Mon Sep 17 00:00:00 2001 From: swve Date: Fri, 8 Jul 2022 21:47:29 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20roles=20:=20organizatio?= =?UTF-8?q?ns=20support?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/routers/orgs.py | 4 ++-- src/services/houses.py | 32 +++++++------------------------- src/services/orgs.py | 7 ++++--- src/services/roles.py | 1 + src/services/security.py | 2 ++ 5 files changed, 16 insertions(+), 30 deletions(-) diff --git a/src/routers/orgs.py b/src/routers/orgs.py index ceb6fcab..e572e69e 100644 --- a/src/routers/orgs.py +++ b/src/routers/orgs.py @@ -20,7 +20,7 @@ async def api_get_org(org_id: str, current_user: User = Depends(get_current_user """ Get single Org by ID """ - return await get_organization(org_id) + return await get_organization(org_id, current_user) @router.get("/page/{page}/limit/{limit}") @@ -28,7 +28,7 @@ async def api_get_org_by(page: int, limit: int, current_user: User = Depends(get """ Get orgs by page and limit """ - return await get_orgs(page, limit) + return await get_orgs(page, limit, current_user) @router.put("/{org_id}") diff --git a/src/services/houses.py b/src/services/houses.py index 0cb6a038..6af483ce 100644 --- a/src/services/houses.py +++ b/src/services/houses.py @@ -34,13 +34,7 @@ async def get_house(house_id: str, current_user: User): house = houses.find_one({"house_id": house_id}) # verify house rights - hasOwnershipRights = await verify_house_rights(house_id, current_user) - - hasRoleRights = await verify_user_rights_with_roles("read", current_user.username, house_id) - - if not hasRoleRights or not hasOwnershipRights: - raise HTTPException( - status_code=status.HTTP_409_CONFLICT, detail="Roles/Ownership : Insufficient rights to perform this action") + await verify_house_rights(house_id, current_user,"read") if not house: raise HTTPException( @@ -87,13 +81,7 @@ async def update_house(house_object: House, house_id: str, current_user: User): await check_database() # verify house rights - hasOwnershipRights = await verify_house_rights(house_id, current_user) - - hasRoleRights = await verify_user_rights_with_roles("update", current_user.username, house_id) - - if not hasRoleRights or not hasOwnershipRights: - raise HTTPException( - status_code=status.HTTP_409_CONFLICT, detail="Roles/Ownership : Insufficient rights to perform this action") + await verify_house_rights(house_id, current_user,"update") houses = learnhouseDB["houses"] @@ -119,13 +107,7 @@ async def delete_house(house_id: str, current_user: User): await check_database() # verify house rights - hasOwnershipRights = await verify_house_rights(house_id, current_user) - - hasRoleRights = await verify_user_rights_with_roles("delete", current_user.username, house_id) - - if not hasRoleRights or not hasOwnershipRights: - raise HTTPException( - status_code=status.HTTP_409_CONFLICT, detail="Roles/Ownership : Insufficient rights to perform this action") + await verify_house_rights(house_id, current_user,"delete") houses = learnhouseDB["houses"] @@ -156,7 +138,7 @@ async def get_houses(page: int = 1, limit: int = 10): #### Security #################################################### -async def verify_house_rights(house_id: str, current_user: User): +async def verify_house_rights(house_id: str, current_user: User, action: str): await check_database() houses = learnhouseDB["houses"] @@ -166,12 +148,12 @@ async def verify_house_rights(house_id: str, current_user: User): raise HTTPException( status_code=status.HTTP_409_CONFLICT, detail="House does not exist") - isAdmin = current_user.username in house["admins"] + hasRoleRights = await verify_user_rights_with_roles(action, current_user.username, house_id) isOwner = current_user.username in house["owners"] - if not isAdmin and not isOwner: + if not hasRoleRights and not isOwner: raise HTTPException( - status_code=status.HTTP_403_FORBIDDEN, detail="You do not have rights to this house") + status_code=status.HTTP_403_FORBIDDEN, detail="Roles/Ownership : Insufficient rights to perform this action") return True diff --git a/src/services/orgs.py b/src/services/orgs.py index 5083d3a7..4284e04d 100644 --- a/src/services/orgs.py +++ b/src/services/orgs.py @@ -116,6 +116,7 @@ async def delete_org(org_id: str, current_user: User): async def get_orgs(page: int = 1, limit: int = 10): + ## TODO : auth await check_database() orgs = learnhouseDB["orgs"] @@ -127,7 +128,7 @@ async def get_orgs(page: int = 1, limit: int = 10): #### Security #################################################### -async def verify_org_rights(org_id: str, current_user: User): +async def verify_org_rights(org_id: str, current_user: User, action:str,): await check_database() orgs = learnhouseDB["organizations"] @@ -137,10 +138,10 @@ async def verify_org_rights(org_id: str, current_user: User): raise HTTPException( status_code=status.HTTP_409_CONFLICT, detail="Organization does not exist") - isAdmin = current_user.username in org["admins"] isOwner = current_user.username in org["owners"] + hasRoleRights = await verify_user_rights_with_roles(action,current_user.username,org_id) - if not isAdmin and not isOwner: + if not hasRoleRights and not isOwner: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="You do not have rights to this organization") diff --git a/src/services/roles.py b/src/services/roles.py index 94a9f325..4278d698 100644 --- a/src/services/roles.py +++ b/src/services/roles.py @@ -24,6 +24,7 @@ class Elements(BaseModel): users: List[str] houses: List[str] collections: List[str] + organizations: List[str] class Role(BaseModel): diff --git a/src/services/security.py b/src/services/security.py index 5308a30b..8a61e51a 100644 --- a/src/services/security.py +++ b/src/services/security.py @@ -70,6 +70,8 @@ async def check_element_type(element_id): return "users" elif element_id.startswith("house_"): return "houses" + elif element_id.startswith("org_"): + return "organizations" elif element_id.startswith("collection_"): return "collections" else: